Download - Securing Mobile Networks
1
Securing Mobile Networks
An Enabling Technology for National and International
Security and Beyond
2
Goals for November 6th Highlight Mobile Networking
Technology Emphasizing National and International
Security today due to time limitations. Discuss security policy
Enabling shared infrastructure (when reasonable)
Next Steps (Afternoon Session) Other Items (Afternoon Session)
3
Today’s Audience Big Picture People Policy Makers Media Code Writers Implementers
Please, don’t be afraid to ask questions.
Neah Bay / Mobile Router ProjectNeah Bay / Mobile Router Project
Cleveland
Detroit
Foreign-Agent
Foreign-AgentSomewhere, USA
Foreign-Agent
Home-AgentAnywhere, USA
Internet
Neah BayOutside of wireless LAN range, connected to FA via Globalstar.
Neah BayConnected to FA via wireless LAN at Cleveland harbor
5
Why NASA/USCG/Industry Real world deployment issues can only be
addressed in an operational network. USCG has immediate needs, therefore
willingness to work the problem. USCG has military network requirements. USCG is large enough network to force us to
investigate full scale deployment issues USCG is small enough to work with. NASA has same network issues regarding
mobility, security, network management and scalability.
6
Mobile-Router Advantages Share wireless and network resources with
other organizations $$$ savings
Set and forget No onsite expertise required However, you still have to engineer the network
Continuous Connectivity (May or may not be important to your
organization) Robust
Secondary Home Agent (Reparenting of HA)
7
Mobile Network Design Goals Secure Scalable Manageable Ability to sharing network
infrastructure Robust
8
PublicInternet
FA
FA
MR
MRMR
US Coast Guard
Canadian Coast Guard ACME Shipping
HA
HA
HA
HAACME
SHIPPING
MR
US Navy
Shared Network Infrastructure
Encrypting wireless links makes it very difficult to share infrastructure.This is a policy issue.
9
Secondary Home Agent(reparenting the HA)
PrimaryHome Agent
SecondaryHome Agent
Reparenting Home AgentHelps resolve triangular routingProblem over long distances
X
10
Emergency Backup(Hub / Spoke Network)
If primary control site becomesphysically inaccessible but can be electronically connected, asecondary site can be established.
If primary control site is physically incapacitated, there is no backup capability.
11
Secondary Home Agent(Fully Meshed Network)
1
2
3
4
5
If primary control site is physically incapacitated, a second or third or forth site take over automatically.
12
We Are Running with Reverse Tunneling Pros
Ensures topologically correct addresses on foreign networks
Required as requests from MR LAN hosts must pass through Proxy inside main firewall
Greatly simplifies setup and management of security associations in encryptors
Greatly simplifies multicast – HA makes for an excellent rendezvous point.
Cons Uses additional bandwidth Destroys route optimization
MobileLAN10.x.x.x
INTERNET USCGINTRANET
10.x.x.x
FA - Detroit
FA – Cleveland
HA
Encryption
PRO
XY
Encr
yptio
n
802.11b link
FIR
EWA
LLPublic Address
MRTunnel
Endpoint(Public Space)
HATunnel Endpoint(Public Space)
MobileLAN10.x.x.x
INTERNET USCGINTRANET
10.x.x.x
FA - Detroit
FA Cleveland
HA
Encryption
PRO
XY
Encr
yptio
n
802.11b link
FIR
EWA
LLPublic Address
USCG Officer’s Club
EAST
WEST
Dock
EAST
WEST
Dock
Open NetworkData Transfers
MobileLAN10.x.x.x
INTERNET USCGINTRANET
10.x.x.x
FA - Detroit
FA Cleveland
HA
Encryption
PRO
XY
Encr
yptio
n
802.11b link
FIR
EWA
LLPublic Address
USCG Officer’s Club
EAST
WEST
Dock
EAST
WEST
Dock
Encrypted NetworkData Transfers
MobileLAN10.x.x.x
INTERNET USCGINTRANET
10.x.x.x
FA - Detroit
FA Cleveland
HA
Encryption
PRO
XY
Encr
yptio
n
802.11b link
FIR
EWA
LLPublic Address
OpenNetwork
MonitoringPoint
OpenNetwork
MonitoringPoint
USCG Officer’s Club
EAST
WEST
Dock
EAST
WEST
Dock
Monitoring Points
MobileLAN10.x.x.x
INTERNET USCGINTRANET
10.x.x.x
FA - Detroit
FA Cleveland
HA
Encryption
PRO
XY
Encr
yptio
n
802.11b link
FIR
EWA
LLPublic Address
USCG Officer’s Club
EAST
WEST
Dock
EAST
WEST
Dock
Note, We are monitoringThe Neah Bay.
We are using lots of bandwidthTo do this.
MobileLAN10.x.x.x
INTERNET USCGINTRANET
10.x.x.x
FA - Detroit
FA Cleveland
HA
Encryption
PRO
XY
Encr
yptio
n
802.11b link
FIR
EWA
LLPublic Address
USCG Officer’s Club
EAST
WEST
Dock
EAST
WEST
Dock
Note, We are monitoringThe Neah Bay.
We are using lots of bandwidthTo do this.
MobileLAN10.x.x.x
Encr
yptio
n
EAST
WEST
Dock
RF Bandwidth
1.0 Mbps (manually set)
1.0 Mbps (manually set)
11.0 Mbps (auto-negotiated and shared with Officer’s Club)
7 Kbps to 56 Kbps in 7 Kbps chunks (1 to 2.5 seconds delay)
20
Wireless Only? Wireless can be jammed
Particularly unlicensed spectrum such as 802.11
Satellites is a bit harder Solution is to find interferer and make
them stop. You still want land line connections
Mobile Routing can be used over land lines.
21
Globalstar/Sea Tel MCM-8 Initial market addresses maritime and
pleasure boaters. Client / Server architecture
Current implementation requires call to be initiated by client (ship).
Multiplexes eight channels to obtain 56 kbps total data throughput.
Full bandwidth-on-demand. Requires use of Collocated Care-of-Address
22
Satellite Coverage
Globalstar
From SaVi
INMARSAT
23
Layer 2 Technology
GlobalstarMCM-8
Hypergain802.11b
Flat Panel
8 dBiDipole
L3-Comm15 dBic
Tracking Antenna
Sea Tel Tracking Antenna
Backbone Network Topology Detail Network Diagram
(Intentionally Blank)
Neah Bay Network Topology Detail Network Diagram
(Intentionally Blank)
USCG Officer’s Club Network Topology
Detail Network Diagram(Intentionally Blank)
27
Securing Mobile and Wireless Networks
Some ways may be “better” than others!
28
Constraints / Tools Policy Architecture Protocols
29
PublicInternet
FAMR
US Coast GuardMobile Network
HA
US Coast GuardOperational Network
(Private Address Space)
CN
IPv4 Utopian Operation
Triangular Routing
30
PublicInternet
FAMR
US Coast GuardMobile Network
HA
US Coast GuardOperational Network
(Private Address Space)
CN
IPv4 “Real World” Operation
PROXy
Proxy had not originated the request; therefore, the response is squelched.Peer-to-peer networking becomes problematic at best.
Glenn Research Center Policy:No UDP, No IPSec, etc…Mobile-IP stopped in its tracks.What’s your policy?
Ingress or Egress Filtering stopsTransmission due to topologicallyIncorrect source address. IPv6 Corrects this problem.
USCG Requires 3DES encryption.WEP is not acceptable due to known deficiencies.
31
PublicInternet
FAMR
US Coast GuardMobile Network
HA
US Coast GuardOperational Network
(Private Address Space)
CN
Current Solution – Reverse Tunneling
PROXy
Anticipate similar problems for IPv6.
Adds Overhead and kills route optimization.
32
PublicInternet
FA
FA
MR
MRMR
US Coast Guard
Canadian Coast Guard ACME Shipping
HA
HA
HA
HAACME
SHIPPING
MR
US Navy
Shared Network Infrastructure
Encrypting wireless links makes it very difficult to share infrastructure.This is a policy issue.
Security• Security Bandwidth Utilization • Security Performance • Tunnels Tunnels Tunnels and more Tunnels• Performance Security
User turns OFF Security to make system usable!• Thus, we need more bandwidth to ensure
security.
PAYLOADHEADER
ORIGINAL PACKET
HEADER
VIRTUAL PRIVATE NETWORK
HEADER
ENCRYPTION AT THE NETWORK LAYER
HEADER
ENCRYPTION ON THE RF LINK
34
Additional and FutureSecurity Solutions AAA
Routers (available today) Wireless bridges and access points
(available 2002) IPSec on router interface Encrypted radio links
IPSec, type1 or type2, and future improved WEP
35
Conclusions Security Breaks Everything
At least it sometimes feels like that. Need to change policy where appropriate. Need to develop good architectures that
consider how the wireless systems and protocols operate.
Possible solutions that should be investigated: Dynamic, Protocol aware firewalls and proxies.
Possibly incorporated with Authentication and Authorization.
36
Moblile-IP Operation
IPv4
Mobile Node
Foreign Agent Foreign Agent
Home Agent
“ ”
139.88.111.1
143.232.48.1NASA Ames
Corresponding Node
Internet or Intranet
139.88.112.1NASA Glenn
143.232.48.1
Home IP 128.183.13.103Care-Off-Address139.88.111.50
128.183.13.1NASA Goddard
Mobile-IP (IPv4)
Mobile Router(Mobile Node)
Foreign Agent
Home AgentCorresponding Node
139.88.112.1Internet WAN
Tunnel-0
10.2.3.101
128.183.13.1Internet WAN
Internet
10.2.2.1RoamingInterface
10.2.3.1Virtual LANInterface
Tunnel-1
128.184.25.1HA LoopbackVirtual Interface
139.88.100.1FA WAN
10.2.4.10MR Loopback
Virtual InterfaceCOA 139.88.100.1
Mobile-Router (IPv4)Mobile Router
Mobile Router(Mobile Node)
Home AgentCorresponding Node
139.88.112.1Internet WAN
Tunnel-0
10.2.3.101
128.183.13.1Internet WAN
10.2.2.1RoamingInterface
10.2.3.1Virtual LANInterface
Foreign Agent Tunnel-1
128.184.25.1HA LoopbackVirtual Interface
139.88.100.1FA WAN
10.2.4.10MR Loopback
Virtual InterfaceCOA 139.88.100.1
Mobile-Router (IPv4)Collocated Care-Of-Address
Internet No Foreign AgentNo Second Tunnel
Mobile Router(Mobile Node)
Home AgentCorresponding Node
139.88.112.1Internet WAN
Tunnel-0
10.2.3.101
128.183.13.1Internet WAN
Internet
10.2.2.1RoamingInterface
10.2.3.1Virtual LANInterface
128.184.25.1HA LoopbackVirtual Interface
139.88.100.1
10.2.4.10MR Loopback
Virtual InterfaceCOA 139.88.100.1
Mobile-Router (IPv4)Collocated Care-Of-Address
41
What’s Next
The End Game
42
Mobile Networks Share Network Infrastructure
USCG, Canadian Coast Guard, Commercial Shipping, Pleasure Boaters
Open Radio Access / Restricted Network Access Authentication, Authorization and Accounting
Architecture Limited, experimental deployment onboard
Neah Bay Move RIPv2 routing from Fed. Bldg to Neah Bay
Move to full scale deployment Requires full commitment
MRPublic
MobileLAN10.x.x.x
INTERNET
INTRANET10.x.x.x
FA – ClevelandPublic
HAPublic
PIX- 506 – until we install our PIX FWThen we should not need the babyPIX.
PRO
XY
PIX-506
802.11b link
FA - Detroit
44
HA Outside Main Firewall Firewall between MR interfaces and
public Internet as well as the HA and Private Intranet.
Reverse tunneling required as requests from MR LAN hosts must pass through Proxy inside main firewall.
45
Areas that need to be addressed Home Agent Placement
Inside or Outside the Firewall AAA Issues
Open Radio Access / Restricted Network Access Secure Key Management
IPv6 Mobile Networking Development Work with industry and IETF
Develop radio link technology Enable better connectivity throughout the world
for both military and aeronautical communications (voice, video and data).
46
NASA’s Needs
Mobile Networks
47
Relevant NASA Aeronautics Programs Advanced Air Transportation
Technology (AATT) Weather Information
Communication (WINCOMM) Small Aircraft Transportation
System (SATS)
48
Aeronautic Networking Issues
Move to IPv6 IPv6 Mobile Networking
Authentication, Authorization and Accounting
Bandwidth, Bandwidth, Bandwidth Media Access Policy
Sending of Operations over Entertainment Channels
Earth Observation
T1T2?
T3
51
Space Flight Implementation Sharing Infrastructure
Common Media Access Common Ground Terminal Capabilites Common Network Access
AAA Common Modulation and Coding
Software Radio
Backup
53
Asymmetrical Pathing
Mobile Router
MilStar,Globalstar,
Others
DVBSatellite
Internet
Home Agent
Foreign AgentForeign Agent
54
Neah Bay
55
Papers and Presentationshttp://roland.grc.nasa.gov/~ivancic/papers_presentations/
papers.html or
http://roland.grc.nasa.gov/~ivancic/ and pick
“Papers and Presentations”