2010 Articles
DIPLOMA: Distributed Policy Enforcement Architecture for MANETs
Lack of well-defined defense perimeter in MANETs prevents the use traditional firewalls, and requires the security to be implemented in a distributed manner. We recently introduced a novel deny-by-default distributed security policy enforcement architecture for MANETs by harnessing and extending the concept of network capabilities. The deny-by-default principle allows compromised nodes to access only authorized services, limiting their ability to disrupt or even interfere with end-to-end connectivity and nodes beyond their local communication radius. The enforcement of policies is done hop-by-hop, in a distributed manner. In this paper, we present the implementation of this architecture, called DIPLOMA, on Linux. Our implementation works at the network layer, and does not require any changes to existing applications. We identify the bottlenecks of the original architecture and propose improvements, including a signature optimization, so that it works well in practice. We present the results of evaluating the architecture in a realistic MANET testbed Orbit. The results show that the architecture incurs minimal overhead in throughput, latency and jitter. We also show that the system protects network bandwidth and the end-hosts in the presence of attackers. To that end, we identify ways of creating multi-hop topologies in indoor environments so that a bad node cannot interfere with every other node. We also show that existing applications are not impacted by the new architecture, achieving good performance.
Subjects
Files
- diploma.pdf application/pdf 370 KB Download File
Also Published In
- Title
- 2010 Fourth International Conference on Network and System Security: NSS 2010: 1-3 September 2010, Melbourne, Australia
- Publisher
- IEEE Computer Society
- DOI
- https://doi.org/10.1109/NSS.2010.27
More About This Work
- Academic Units
- Computer Science
- Published Here
- August 9, 2011