| The Internet has evolved into a critical communications infrastructure for commercial and private communications, both national and international. As the quantity of communications across computer networks grows, the need to secure these transmissions also increases.; The security required for communications depends on the specific network configuration and environment. Organizations are setting up Virtual Private Networks (VPNs) that require one set of security functions for communications within the VPN and, possibly, many different security functions for communications outside the VPN. These requirements allow the organization to support geographically separate components, customers, suppliers, sub-contractors (with their own VPNs), government, and other partners. Departments within large organizations may require security functionality to separate and protect data (e.g. personnel, company proprietary, medical) on internal networks and other security functions to communicate within and across departments. Nomadic users wanting to “phone home” represent another set of security requirements. These mobile user requirements must be tempered with bandwidth challenges. Additionally, security functions associated with multicast communications add complexity to the required solution set.; This dissertation presents an architecture for network security management that will allow an organization to provide a consistent security posture for all of its communications, both internal and external. A significant part of this network security management architecture is the ability to negotiate security services and mechanisms to protect communications. Security protocols under development are attempting to incorporate security mechanisms in their specifications to protect against attempts to exploit communications across these networks. The security mechanisms that are typically implemented include confidentiality, integrity, authentication, access control, and non-repudiation.; This dissertation also presents a negotiation protocol which provides communicating entities with the ability to negotiate the security functionality they desire. This is accomplished through the use of a security association (SA), which is a relationship between two or more entities describing how security services will be used to communicate securely. Security associations must support multiple security services and mechanisms for the Internet Protocol (IP) suite, as well as for other security protocols. Modeling and performance results associated with the proposed security negotiation protocol are included in this dissertation. |
