next up previous
Next:  Architecture Models Up: Security Requirements for Management Previous: Security Requirements for Management

 Introduction


Mobile agents[*] are a new paradigm in distributed systems that allow transfering not only simple data but also `living' code through networks. Therefore, an agent system provides a homogeneous run-time environment for agents by adapting the underlying, heterogeneous host system. In addition, it offers general services to agents making them easier to handle and smaller. Although the main research on mobile agents does not focus on its applicability in management, several publications [#!bpw98!#,#!elbi99!#,#!fkk99!#,#!kupa98!#,#!samo98!#] regard it as a promising approach. First, mobile agents give a more generic view on some aspects of concepts like Management-by-Delegation (MbD) [#!goye95!#,#!schoe97!#]: In terms of mobility, delegation is migration of a mobile agent from a management server to a mid-level-manager or managed resource. Second, mobility may overcome limitations of MbD as it allows mobile agents to migrate: A mobile agent is not limited to remain on a managed resource after delegation. In fact, it can decide autonomously to move to another place, for example for load balancing or to apply some complex operations on a group of resources. Third, management systems can use mobile agents for implementing distributed management functionality. Although mobile agents have many benefits for distributed computing they introduce a new dimension of security issues. Automatically executing arbitrary code on any host can be dangerous. The same care is necessary as if manually starting programs from unknown sources. In order to protect hosts from malicious code, agent systems usually provide a virtual machine or interpreter to run mobile agents in a separate, locked environment. Any action or communication of agents is then only possible through the means of the agent system (similar to applets in WWW browsers).

But this covers only a single aspect of security. In order for mobile agents to fulfil their management tasks they must be able to access security sensitive data and resources. This must happen in a controlled manner and only by mobile agents that are allowed to do so. A closer look on security reveals various threats in different areas. Many of them have been identified [#!ches98!#,#!gbhh98!#,#!vign98!#]. For some of them possible solutions have been presented. For some of them there are ideas how they might be solved (e.g. authentication [#!bgs98!#], access control [#!eac98!#], trust [#!fele97!#], secure MbD [#!sq99!#], securing mobile agents from malicious hosts [#!hohl98!#,#!kag98!#,#!sats98!#,#!vign98a!#]).

As most solutions and ideas only deal with a single problem they remain fragments. However, making mobile agent technology secure means to integrate these fragments in an architecture. Moreover, in order to get a complete view of possible threats there is a need for an overall model that allows identifying and examining all points of attacks.

In this paper we look into security issues of agent systems under the special constraints of management systems. Although a `general-purpose' agent system might be used, it is still questionable if it will meet the needs of a management system. Whereas access to a general agent system is usually open to the public, e.g. the systems run agents from unknown sources, we consider this a bad idea for management. Dealing with vital devices and systems, tight security must prevent any misuse. Therefore, agent systems depend on certain trust in other agent systems and agents, i.e. there is always a person liable for an action. We find this a major distinction to `general-purpose' agent systems.

In the next section we propose two models that describe the security-related aspects of mobile agent based management systems. They allow us to find points of attack and to deduce possible threats. The analysis of threats and the classification of attacks follows in section [*]. Instead of developing a defense strategy for each possible attack, the generalization into security requirements in section [*] is a better approach. Section [*] presents a security architecture for mobile agent based management systems. The last section concludes the paper presenting issues for further research.


next up previous
Next:  Architecture Models Up: Security Requirements for Management Previous: Security Requirements for Management
Copyright Munich Network Management Team