Multi-dimensional Security Management and Enforcement (MSME)
Project
Introduction
The Multi-dimensional Security Management and Enforcement (MSME)
project will design and implement a system to efficiently provide
communications security by supporting the creation, management,
evolution, and dissolution of dynamic coalitions.
The MSME project at BBN Technologies is sponsored by the Defense
Advanced Research Projects Agency under contract number
F30602-00-C-0062 issued by the Air Force Research Laboratory
(AFRL).
Approach
The approach is to build a Security Abstraction Layer (SAL) that is
based in part on the ISO security architecture (ISO 7498-2).
Additional services and mechanisms not defined in ISO 7498-2 (for
example, a transitive communications service between coalition
members and a steganography mechanism) are included in MSME, as
well as both TLS and IPsec mechanisms.
The policy of a coalition will be specified by each coalition
partner specifying a Policy Level Agreement (PLA) that defines the
communications security requirements that the partner will use when
communicating with other coalition partners.
MSME Coalition Policy Resolution Components
A PLA will be expressed in a common PLA Language (PLAL). Each
partner will translate (if necessary) the coalition-relevant
portions of its policy into the PLAL. The PLAs of each partner
will be securely communicated between the partners and resolved,
creating a Resolved PLA (RPLA). The resolution process removes
mechanisms from the PLAs of the partners that do not allow
successful inter-partner communications. The RPLA is securely
communicated back to each partner, where it is reconciled with the
original PLA to verify concistency. The RPLA is then translated
(if necessary) back to the partner's local policy support system,
so that it can be used to eliminate those mechanism alternatives
that will not result in successful inter-partner communications.
The RPLA is also used to augment the filters used by a partner's
intrusion detection mechanisms so that the partner can make sure
that the resolved policy is being used and enforced.
Issues that arise when multiple partners form a dynamic coalition
that were not addressed by
PBSM include:
- Specification Language
- The language used to specify the security policies of each
host needs to be able to specify which policy to use
depending upon what other hosts are currently members of the
coalition. The language must also be able to specify
policies at a higher-level of abstraction than was necessary
for two communicating hosts, so that the policies can be more
flexible to adjust to changing coalitions. However,
additional flexibility leaves open the possibility that
policies might be ambiguous. The language will have to
include meta policies that indicate how to resolve any
ambiguities that may arise.
- Exchange of Policies
- The policies specified by each of the coalition partners must
be securely exchanged with each of the other partners of the
coalition. Policies may have to be exchanged whenever a host
enters or leaves the coalition. An encoding of the policies
is necessary along with a protocol used for their exchange.
Each policy must be authenticated to verify which host sent
the policy and that the policy has not been modified in
transport. Confidentiality may also be required.
MSME Coalition Policy Resolution Information Flow
- Negotiation of Policies
- Using policy information from each of the current coalition
partners, policy negotiation is required to decide on a
common policy that satisfies all of the partner's
requirements. This may either be an active negotiation
requiring rounds of policy exchange or it may be a static
negotiation where each policy has all the information needed
to make the decision without further policy exchange. After
a common policy is negotiated, each partner of the coalition
must get a copy of the resolved policy for its local use.
Policies may need to be re-negotiated whenever a partner
enters or leaves the coalition since the set of policies,
which are involved in the negotiation, may change. Consider
the case where a partner that was providing transit
communicatins services leaves the coalition. This dynamic
nature of the coalitions requires that the policy
negotiations be fast so that the policy generation process
can keep pace with the changes to the coalition.
- Policy Verification
- It is essential to be able to determine if security policies
are behaving as desired. In the case of two hosts
communicating, it is fairly easy to determine if the policies
interact in a desired fashion before the policies are
activated, or communication is initiated. However, when
dynamic coalitions are involved, complete verification before
using the policies is extremely difficult, since the policy
used might depend on all the hosts in the coalition and the
coalition may often be in flux. It is also desireable to
verify that policy decision points and policy enforcement
points are handling the policies correctly. To do this, it
is necessary to monitor the policies in use, both the results
of the negotiations and the results of enforcing the
policies.
Further Information about MSME
Releases
Papers
Presentations
![[HOME]](../imgs/home_button.gif)
Internetworking Research Dept.