«A FORMAL VERIFICATION FRAMEWORK FOR SECURITY POLICY MANAGEMENT IN MOBILE IP BASED WLAN Soumya Maity1, P Bera1, S K Ghosh1, Pallab Dasgupta2 School ...»
International Journal of Network Security & Its Applications (IJNSA), Vol.2, No.4, October 2010
A FORMAL VERIFICATION FRAMEWORK FOR
SECURITY POLICY MANAGEMENT IN MOBILE IP
Soumya Maity1, P Bera1, S K Ghosh1, Pallab Dasgupta2
School of Information Technology,
Indian Institute of Technology, Kharagpur, India
email@example.com, firstname.lastname@example.org, email@example.com Department of Computer Science and Engineering, Indian Institute of Technology, Kharagpur, India firstname.lastname@example.org
KEYWORDSWLAN, Security Policy, Veriﬁcation, Mobile IP
1. INTRODUCTION The widespread deployment and dynamic topology characteristics of wireless networks make the security management in wireless networks (WLAN) increasingly difficult. Mobile users (with laptops and hand-held devices) remotely access the internal network from a public network zone;
hence may violate the organisational security policies. Typically, organisational security policy provides a set of rules to access network objects by various users in the network. It requires a strong security policy management system with appropriate access control models to meet the organisational security need.
An enterprise LAN demands the security policies to be implemented over the distributed network for proper functionality of the policy based security management system. For policy based security management a primary concern is partitioning the network topology into different logical policy zones, and thus enforcing the security policies in the policy zones through a set of functional elements. It requires proper distribution of the system functionality (or functional rules) into various architectural elements. However, the deployment of policy based security management in wireless network (WLAN) require appropriate access control models (such as role-based access control (RBAC), spatio-temporal RBAC) for representing and enforcing the security policies. This is due to the dynamic topology characteristics of wireless networks as wireless nodes may not bind to a speciﬁc IP address. Due to the dynamic topology characteristics of wireless networks mobile IP is used. The mobile IP  is always speciﬁc to a host and does not change from location to location. The background and standards for policy based security management can be found in RFC 3198 . The use of mobile IP to implement the security policy, which increases the performance of the system and gives better results compared to MAC based models as referred in  and .
Role based access control (RBAC) mechanisms are already being used for controlled access management in commercial organizations. In RBAC, permissions are attached to roles and users must be assigned to these roles to get the permissions for accessing the resources. Recently, temporal RBAC (TRBAC) and spatio-temporal RBAC (STRBAC) models are also evolved for location and time dependent access control. In wireless LAN security management, the STRBAC model can be used where the users associated to a role can access network objects, i they satisfy certain location and time constraints. For example, in an academic network, Students are not allowed to access internet from their residential halls during class time (say, 08:00-18:00 in weekdays). However, they are always allowed to access internet from the academic departments.
• Home Agent is a designated router in the home network of the mobile node, maintains the mobility binding in a mobility binding table where each entry is identified by the tuple α, τ, ˜l where α is permanent home address, τ is temporary care-of address and ˜l is association lifetime.
• Foreign Agent are specialized routers on the foreign network where the mobile node is currently visiting. The foreign agent maintains a visitor list which contains information about the mobile nodes currently visiting that network. Each entry in the visitor list is identified by the tuple α, ψ, w, ˜l,where ψ is address of Home agent and w is MAC address of the mobile node.
Foreign agent provides the new τ to a host.
• Central Authentication & Role Server (CARS) which authenticates the users (or nodes) and access points (AP) and also assigns appropriate roles to the users based on user credentials.
• Local Role Servers (LRS) corresponding to the respective policy zones are populated with the International Journal of Network Security & Its Applications (IJNSA), Vol.2, No.4, October 2010 user-role information from the CARS.
• The Global Policy Server formally models the global security policy, GP; determines the high level policy configurations (represented as, GPZ1,..., GPZN ) for various policy zones.
• The distributed Wireless Policy Zone Controllers (WPZCons) determine the low level access configurations (represented as, LPZ1,..., LPZN ) coordinating with the local role servers and validates the access configurations with high level policy configurations.
• We propose a formal STRBAC model to represent the security policies and access configurations in the system.
• A SAT based framework has been presented to verify the low level access configuration with respect to the global policy.
The rest of the paper is organized as follows. The related work in the areas of Wireless LAN policy based security management and spatio-temporal RBAC models has been described in section 2. In section 3, we describe the architecture and operational flow of the proposed WLAN policy management system. Section 4 describes the proposed spatio-temporal RBAC model to support our policy management system. The analysis of the framework with a case study has been presented in section 5. Section 6 describes the SAT based verification procedure for analyzing the access configurations with respect to the global policy.
2. RELATED WORK Wireless networks are facing the premature stage of deployment of network policy based security management whereas several research has been performed in this area on wired LAN. Westrinen et al.  standardised the terminologies and functional elements for policy based management. The research outcome of IST-POSITIF project  is policy-based security framework in local area networks. The IETF Policy working group developed a framework for network policy based admission control . It consists of a central policy server that interprets the policies, makes policy decisions and communicates them to various policy enforcement International Journal of Network Security & Its Applications (IJNSA), Vol.2, No.4, October 2010
points. J Burns et al. propose a framework  for automatic management of network security policies based on central policy engine. The policy engine gets populated by the models of network elements and services, validates policies and computes new configurations for network elements when policies are violated. But, the framework considers very simple set of policy constraints. A recent work  has been proposed by Lapiotis et al. on policy based security management in wireless LAN. They propose a distributed policy based architecture which includes a central policy engine and distributed wireless domain managers with consistent local policy autonomy. But, they do not describe the type of security policies enforced and also do not describe the formal validation of the policies.
Role based access control (RBAC) model  is used for addressing the access requirements of commercial organizations. Several work has been done to improve RBAC functionalities incorporating time and location information. Joshi et al.  propose a Generalized Tempo- ral Role Based Access Control Model (GTRBAC) incorporating time to the RBAC model.
Temporal constraints determine when the role can be enabled or disabled. In this work, the authors introduce the concept of time-based role hierarchy. GEO-RBAC  is an extension RBAC incorporating spatial information. Here, the roles are activated based on location.
Ray and Toahchoodee  propose a Spatio-Temporal Role-Based Access Control Model incorporating both time and location information. We introduce the notion of wireless policy zone to represent location in our model. The role permissions to access network objects are modeled through policy rules containing both policy zone(location) and temporal constraints.
RFC 4271 describes the working principles of mobile IP. The detail concept was elaborated in 1998 by Perkins . Lapiotis et. al.  has proposed the policybsed management over link layer. This work was extended in our previous work . The application of spatio-temporal RBAC model in wireless network security is in its infancy. Laborde et al.  presents a colored Petri Net based tool which allows to describe graphically given network topology, the security mechanism and the goals required. In this work, the authors model the security policies through generalized RBAC without considering time and location dependent service International Journal of Network Security & Its Applications (IJNSA), Vol.2, No.4, October 2010 access. Moreover, the proposed tool is not applicable in wireless networks. To the best of our knowledge, the only work which uses spatio-temporal RBAC in wireless network is by Tomur and Erten . They present a layered security architecture to control access in organizational wireless networks based STRBAC model using tested wired network components such as VPNs and Firewalls. However, this work does not describe the modeling of STRBAC policies using existing ACL standards. In our proposed WLAN policy management system, the global access policies are represented through a formal STRBAC model and implemented through distributed wireless policy zone controllers which outsource the high level policy configurations from the global policy server, derives correct low level access configuration and validates it. This makes the task of policy enforcement and validation easier and efficient.