Development of Trusted Network and Challenges It Faces

Lin Chuang,Wang Yuanzhuo,Tian Lin,2

(1. Department of Computer Science and Technology, Tsinghua University, Beijing 100084, China；

2. Department of Computer, North China Institute of Science and Technology, Beijing 101601, China)

Abstract:As the information network plays a more and more important role globally,the traditional network theories and technologies,especially those related to network security,can no longer meet the network development requirements.Offering the system with secure and trusted services has become a new focus in network research.This paper first discusses the meaning of and aspects involved in the trusted network.According to this paper,the trusted network should be a network where the network's and users'behaviors and their results are always predicted and manageable.The trustworthiness of a network mainly involves three aspects:service provider,information transmission and terminal user.This paper also analyzes the trusted network in terms of trusted model for network/user behaviors,architecture of trusted network,service survivability and network manageability,which is designed to give ideas on solving the problems that may be faced in developing the trusted network.

W ith the rapid development of network technologies and applications,the Internet becomes much complicated and diverse.Not only does the current network architecture suffer serious deficiency,but the network is also facing great challenges such as security and Quality of Service(QoS)guaranteeing.Hence,there is an urgent demand for making the network trusted in its further development.The concept“highly trusted network”,which comes from China,is thus introduced to offer users with services of high and reliable quality.Nowadays,this concept has been written in the Guidelines on the National Medium-and Long-Term Program for Science and Technology Development(2006-2020)(hereinafter“the Guidelines”)published by the State Council of the People's Republic of China.The Guidelines stated,“To focus on developing highly trusted network;meanwhile,to develop network information security technologies and related products,and establish the technical guarantee system for information security so as to prevent and handle various security emergencies.”

1 Development of Trusted Computing

The trusted computing technology was originally designed for computers only,not for networks.To develop the trusted network,it is required to extend this trustworthiness technology to the network.In 1999,Compaq,HP,IBM,Intel and Microsoft organized the Trusted Computing Platform Alliance(TCPA),which was an organization dedicated to enhancing the security of computing platform architecture.In January 2001,TCPA delivered its first specification.In 2003,TCPAwas reorganized as the Trusted Computing Group(TCG)and its members reached 200 companies.In October 2003,TCG published Trusted Platform Module(TPM)specifications.At the end of 2002,IBM launched a notebook computer configured with Embedded Security System(ESS).In September 2003,Intel introduced LaGrande technology.As the most enthusiastic initiator of trusted computing,Microsoft claimed its operating systems would be developed based on highly trusted computing.At present,eight Chinese enterprises have joined TCG.Under TCG,there are several work groups including Infrastructure,Mobile,PC Client,Server,Software Stack,Storage,Trusted Network Connect(TNC),and Trusted Platform Module(TPM)［1-3］.

The trusted computing technology first verifies the user identity for trustworthiness:whether the user is a legal member or a certified device.Then it verifies the user status:whether the user has prepared any defense measure,installed the certified antivirus software,and/or updated the virus library at the terminal.

To enhance information security and reliability,the National Science Foundation(NSF)of the USbegan to sponsor the research project of trust in cyberspace in 2006［4］;the USNational Research Council(NRC)also proposed researches on trust in cyberspace［5］.

In China,many years of research has been made in the fields of trusted computing and trust in cyberspace.Although some companies have already worked on the trusted computing terminaland network security,more efforts have been put into learning and analyzing the research results of other countries.Now,the research on trusted computing has been placed on the agenda of the“11th Five-year Plan”.China State Information Center and Beijing University of Technology are engaged in the research on trusted computing terminals.And the Network Control Research Group of Tsinghua National Laboratory for Information Science and Technology has conducted much proactive research in fields such as new generation Internet［6］,trusted network［7-8］,and stochastic modeling and evaluation for network security［9］.

2 Meaning of Trusted Network

Currently,the serious problems of network security technologies draw more and more attentions:the technologies are of a large number and various types;the implementation of these technologies costs much;and their impact on the network performance becomes significant and increasingly complicated.As a result,new ideas are required to solve the network's security and performance problems.The trusted network is introduced under this circumstance.As to the meaning of trusted network,there is stillno common understanding in the industry:some say it should be authentication-based;some say it should be based on and integrate current security technologies;some say the network materials should be trusted;some say the network itself should be trusted;and others say the network services should be trusted.However,the objective of the trusted network has been agreed—to improve the security of network and service,thus enabling the human being to benefit in the information society.The trusted network can improve the network performance and reduce the system overheads of monitoring and prevention arising from untrustworthy behaviors.As a result,the performance of the entire system is improved.Moreover,the trustworthiness of dynamic behaviors can guarantee the security with smaller granularity than the identity trustworthiness.

A trusted network should be a network where the behaviors and results of the network itself and the users are always predicted and manageable.That is to say,the status of the behaviors can be monitored,the result of the behaviors can be evaluated and abnormal behaviors can be controlled.Specifically speaking,the trustworthiness of the network should be measured with a group of attributes,which can ensure service security and survivability in the eyes of a user and enable the network to be manageable from the perspective of design.Traditionally,security,survivability and manageability are three isolated and independent concepts.But in the trusted network,the three basic attributes are integrated together in order to maintain the trust between network elements and manage the behaviors.

3 Aspects Involved in Trusted Network

Compared to traditional network security technologies,the network trustworthiness technology includes behavior trustworthiness,and enhances dynamic processing capability of network status,which provides strategic bases for implementing intelligent,adaptive network security and QoScontrol.The trustworthiness in a trusted network mainly involves three aspects:service providers,information transmission and terminal users.

3.1 Trustworthiness of Service Providers

The trustworthiness of a service provider involves two parts:identity and behavior.

The identity trustworthiness means the provider's identity is true and valid,can be accurately authenticated,and cannot be pretended by others.The behavior trustworthiness means the provider's behaviors are trustworthy without any fraudulent intention,and will not endanger user terminals.

Traditional security mechanism provides authorization and authentication functions,which can only ensure the trustworthiness of the service provider's identity,but not its behaviors.Behavior trustworthiness can be further divided into two kinds:basic and advanced.

The basic behavior trustworthiness means the service provider behaves trustworthily,provides services as contracted,and does not interrupt the services at will.

The advanced behavior trustworthiness means the provider does not conduct in any way that may endanger user security during its service provisioning.The dangerous behaviors include providing malicious contents,disclosing user's private information to a third party,and doing other disruptive behavior for its own interests.

3.2 Trustworthiness of Information Transmission

Trustworthiness of information transmission means the network nodes faithfully transmit the information.They neither delete or change the original information,nor secretly carry other information.They may transmit the information through the path specified by the user.The core idea of trustworthiness of information transmission is to ensure the confidentiality,integrity and availability of information during the transmission.To ensure that the transmission is trustworthy,it is required to prevent both a third party and the network itself from damaging the transmitted information.Accordingly,strategies should be made to technically guarantee the trustworthiness of the transmitted information at both receiver and sender ends,as well as to prevent the network information from being damaged by the network itself or a third party in legal,managerial and technical terms.

3.3 Trustworthiness of Terminal Users

Analyzing current security measures for the server,the network itself and the network user,it can be seen that the measures are gradually decreasing.People pay much attention to the protection of the server and network,but ignore the security at the user end.

Obviously,this is not reasonable because the user end not only can create and store important data,but also may trigger attacks due to its vulnerability(e.g.,data leakage and worms).If the unsafe factors can be controlled from the source(i.e.,the user)and make the user's behaviors meet security requirements,the security of the entire network can be greatly improved.Therefore,the trustworthiness of terminal users is an important part of the trusted network.

Like the trustworthiness of a service provider,the trustworthiness of a terminal user involves two parts:identity and behavior.The identity trustworthiness of a terminal user means the user's identity is true and valid,can be accurately authenticated,and can not be pretended by others.The behavior trustworthiness of a terminaluser means its behaviors are evaluable,expectable and manageable,and they will not damage network equipment and data.Traditional security mechanism provides authorization and authentication functions,which can only ensure the trustworthiness of the user's identity,but not its behaviors.For example,to order digital electronic resources,a college student may log on the university's digital resource server with a certified identity(often the IPaddress of the university),but his behaviors may be untrustworthy.For instance,he may use network download tools to download a large amount of electronic resources of the university or privately set up a proxy server for his own interests.

4 Problems to be Solved in Trusted Network Research

There are four challenges which have to be overcome in trusted network research:Firstly,characterized by diversity,randomness,invisibility and spreading,network attacks and disruptive behaviors are difficult to be described or analyzed with current network modeling theories.Secondly,in current network architectures,especially that of the Internet,the end-to-end argument and the non-connection oriented design concept facilitate effective interconnection,but the control measures are not strong enough to solve security problems existing in the real network.Thirdly,the presence of network vulnerabilities,man-made misoperations,management flaws,as well as network attacks and disruptive behaviors challenges the network in guaranteeing the survivability of services.Fourthly,the complicated network architecture and heavy load of the network make the network behaviors difficult to manage.

4.1 Trusted Model for Network and User Behaviors

Compared with the traditional concept of“network security”,trustworthiness implies more.A common understanding recently reached in network security field is that security is just an assertion of external performance while trustworthiness is a measurable attribute abstracted from analyses of behaviors.The creation of a trusted model,which can effectively analyze and describe the network and user behaviors,is critical to understanding and studying the trusted network.

The importance of creating such a trusted model lies in four points.Firstly,the model can abstractly and accurately describe the trustworthiness demands of the system without discussing the implementation details,enabling to find the security flaws of the system with the analysis method of the mathematical model.Secondly,the trusted model is a critical step in system development.In Trusted Computer System Evaluation Criteria(TCSEC)issued by the United States Government Department of Defense(DoD),it is required to formally describe and verify the security policy model of class B and above,and analyze the covert channel.Thirdly,the formalized description and analysis and utilization of the trusted model can improve the trustworthiness of a network system.Finally,creating a trustworthiness evaluation theory for network vulnerabilities and users'attack behaviors is a prerequisite for trusted monitoring,prediction and interference of the system,in addition to providing a theoretical basis for trusted network research.

Because no network system is absolutely secure,the final target of network vulnerability evaluation is not to completely eliminate the vulnerabilities,but to provide a solution to help the system administrator find a balance point between“offering services”and“ensuring security”.The evaluation is a proactive detection prior to attacks.For example,by creating a description mechanism of attack behaviors,a system administrator can distinguish the behaviors that have the attack intention from a large amount of user behaviors,and implement access control of these behaviors at the host based on the trustworthiness evaluation result.

The traditional,rule-based method can only be used in localdetection,and cannot detect the entire network.Most of current vulnerability evaluation tools are rule-based.They can detect several services on a single host,and in case of a network made up of several hosts,manual operations have to be done for effective evaluation.In the model-based evaluation method,a model is first created for the entire system;and then,all possible behaviors and states of the system are obtained from the model;finally,the model analysis tool is used to conduct tests and evaluate the trustworthiness of the system.

Figure 1 illustrates the elements for trustworthiness analysis.The trustworthiness evaluation involves two aspects—identity and behavior—while the evaluation of behavior trustworthiness is based on content trustworthiness including protection ability,service ability,trust recommendation,behavior record and more.

4.2 Architecture of Trusted Network

In the early design of the Internet,the security issue,which is an important contribution to the vulnerability of current networks,was not seriously taken into account.Most of the current network security designs do not go deep into the core of the network architecture.They are simply for passive defense or information security by means of patch adding.Following the principles of“stopping leaks,building high walls and preventing external attacks”,these security mechanisms intercept and stop illegalusers and unauthorized accesses at the periphery of shared information resources to prevent external attacks.

▲Figure 1. An analysis mode of trusted model.

▲Figure 2. Traditional vs. trusted network architecture.

Since various attacks are combined to create more serious attacks,the security system becomes more and more oversized.As a result,network performance is considerably degraded,and the openness and simplicity principles of system design are broken.The network security based on the mechanisms that are patches added and passively defensive is untrustworthy.It is extremely important to reduce the system vulnerabilities and to offer secure services in terms of architectural design.

The description related to security structure is included in the extension part of Open System Interconnection Reference Model(OSI/RM),but it is only a conceptual framework and needs to be further improved.

Network security is no longer limited to the availability,integrity and confidentiality of the information.More and more users recognize the service security as an essentialattribute of the network.This urges the researchers to redesign the network architecture,and integrate multiple security technologies to interoperate at several levels.On one hand,in the traditionalsecurity mechanism,which is often added into the network system as a patch,each single security technology or product has limitations in both function and performance,and it can only meet specific security requirements.Moreover,the security system itself is often vulnerable in the processes of design,implementation and management,which,in return,significantly restricts the performance of the system.For example,the intrusion detection system cannot fight against the worm virus,the anti-virus software cannot protect the network system from the Denial of Service(DoS)attack,and the firewall can do nothing to prevent virus and Trojan horse attacks.On the other hand,the concepts of network security have changed from passive defense to proactive defense,and they are not limited to defenses at the periphery of shared information.It is required to conduct security analyses starting from the access source,and try to control the untrustworthy access operations at the beginning.Therefore,a trustworthy architecture is necessary for the network in order to avoid the problems faced in traditional security mechanisms.The research on trusted network architecture should take the complexity and heterogeneity of networks into account and ensure the consistency of services throughout the whole system.

Figure 2 illustrates both traditional and trusted network architectures.In the trusted architecture,the transmissions of monitor information(monitor and distribution)and service data are through the same physical link,and the control information path is independent from the data path.As a result,the management of the monitor information path will not depend on the configuration management on the data plane;thus,a highly reliable control path is set up.On the contrary,the transmission of control and management information in traditional networks should depend on the transmission path pre-defined by the routing protocol.

4.3 Service Survivability

In a sense,survivability can be regarded as a resource scheduling problem.The research on service survivability is about designing a reasonable scheduling strategy for the redundant resources associated with a service and,by means of the real-time monitoring mechanism,scheduling these resources to respond to the service request.When the network system is attacked or damaged,the survivability design can minimize the failure time and failure frequency of critical services.Survivability is a basic object of network research.It should provide the network system with functions such as self test,self diagnosis,self recovery and self organization,as well as maintain the key attributes of critical services including integrity,confidentiality and performance.Today,the fundamental function of the network system has improved;however,the network still suffers inherent vulnerabilities,management flaws,man-made misoperations,as well as attacks and disruptive behaviors.

Therefore,the survivability,which guarantees the network's critical services,is of great significance.

Almost all network systems have hidden troubles that incur attacks,that is,vulnerabilities.These vulnerabilities are present in all processes:design,implementation,running and management.They are often not designed by the developer intentionally,but produced for some unexpected reasons.Acomputer in a network can communicate with other computers only after it offers some services,and in such a complicated system,it is inevitable to have vulnerabilities.In addition to programming errors specific to certain network service programs,other vulnerabilities include incorrect configuration or deployment of services or software on a network node,and defects in network protocol.The protocol defines the rules of interaction and communication between computers in a network.Consequently,if the protocol design is defective,the system will become vulnerable no matter how perfect the implementation method is.

Being a critical service of the network system,security service,if some failures occur,may cause the entire system to get attacked in a wider range,more services to fail,and may even cause the entire system to be paralyzed.Therefore,the failures of those critical services must be controlled within allowed ranges.In the research on survivability,the basic features of survivability that are independent of individual attacks must be carefully examined;fault-tolerant design is used to try to eliminate the vulnerabilities and avoid incorrect system status transition;and intrusion-tolerant design is used to try to minimize the effect of the attacks in the case the attacker takes advantage of the vulnerabilities,and create conditions for the services to resume.

▲Figure 3. Network management.

4.4 Network Manageability

Nowadays,Internet has become a huge,complicated and non-linear system.In the system,the scale and user quantity are extremely large and are growing steadily;the protocols are numerous and jumbled;the service types are diversified;and various kinds of networks are integrated.All these are far beyond the realm of the early design and result in more difficulties in network management.

The manageability of a network means both the network status and the user behaviors can be monitored and analyzed in a consecutive way when the network environment is interfered externally or internally;and then,decisions can be made to configure the control parameters of devices,protocols and mechanisms involved in an adaptive,optimal way.In this way,the processes and results of data transmission,resource allocation and user service can be expected and controlled.

Currently,the network architecture and management protocols do not support manageability design,and the network management functions can only be added in the architecture.As a result,effective management of the network cannot be achieved.The trusted network should be a fully manageable network,and its manageability should be a great support to other essential attributes of the network such as security,robustness and general applicability.The main tasks involved in network management are to continuously monitor the network status and to optimize the running parameters of network equipment.In other words,the tasks include two important aspects:network scanning and decision-making on optimization,as shown in Figure 3.

The research on network manageability first focuses on improving the design principles of network architecture so as to achieve full management of the network,thus ensuring the network behaviors to be trusted.The next step of the research is to give support in solving the network's essential problems such as security,robustness,general applicability and QoS;and enable the network to be adaptive for further development.

5 Conclusion

As the Internet balloons in service type,user quantity and complexity,the current network security system,which is isolated,fragmentary,passively defensive and externally added,cannot dealwith the attacks and disruptive behaviors that are characterized by diversity,randomness,invisibility and spreading.Moreover,the vulnerabilities of the system are inevitably present.As a result,the network is now facing serious security challenges.As the trusted network is an important direction of research in current network development,this article discusses and analyzes it in terms of concept,development as well as the critical problems to be solved,in the hope of giving some new ideas for further research.