1 Securing Mobile Networks in an Operational Setting Will Ivancic [email protected] (216)...
-
Upload
rafe-carson -
Category
Documents
-
view
215 -
download
0
Transcript of 1 Securing Mobile Networks in an Operational Setting Will Ivancic [email protected] (216)...
2
Outline Security Considerations Neah Bay Project Cost of Connectivity NASA’s Mobile Network Needs
3
Security Considerations
4
Securing Networks Constraints/Tools
Policy Security Policy Education Enforcement
Architecture Protocols
Must be done up front to be done well
5
PublicInternet
FA
MR
US Coast GuardMobile Network
HA
US Coast GuardOperational Network
(Private Address Space)
CN
IPv4 Utopian Operation
Triangular Routing
6
PublicInternet
FA
MR
US Coast GuardMobile Network
HA
US Coast GuardOperational Network
(Private Address Space)
CN
IPv4 “Real World” Operation
PROXy
Proxy had not originated the request; therefore, the response is squelched.Peer-to-peer networking becomes problematic at best.
Glenn Research Center Policy:No UDP, No IPSec, etc…Mobile-IP stopped in its tracks.What’s your policy?
Ingress or Egress Filtering stopsTransmission due to topologicallyIncorrect source address. IPv6 Corrects this problem.
USCG Requires 3DES encryption.WEP is not acceptable due to known deficiencies.
7
PublicInternet
FA
MR
US Coast GuardMobile Network
HA
US Coast GuardOperational Network
(Private Address Space)
CN
Current Solution – Reverse Tunneling
PROXy
Anticipate similar problems for IPv6.
Adds Overhead and kills route optimization.
Security• Security Bandwidth Utilization • Security Performance • Tunnels Tunnels Tunnels and more Tunnels• Performance Security
User turns OFF Security to make system usable!• Thus, we need more bandwidth to ensure
security.
PAYLOADHEADER
ORIGINAL PACKET
HEADER
VIRTUAL PRIVATE NETWORK
HEADER
ENCRYPTION AT THE NETWORK LAYER
HEADER
ENCRYPTION ON THE RF LINK
9
Conclusions Regarding Security
Security Breaks Everything At least it sometimes feels like that. “The Ultimate Denial of Service Attack” – D.S.
Need to change policy where appropriate. Need to develop good architectures that
consider how the wireless systems and protocols operate.
Possible solutions that should be investigated: Dynamic, protocol-aware firewalls and proxies.
Possibly incorporated with Authentication and Authorization.
10
Neah Bay / Mobile Router Project
Neah Bay / Mobile Router ProjectNeah Bay / Mobile Router Project
Cleveland
Detroit
Foreign-Agent
Globalstar G/TSmiths Falls, Canada
Foreign-Agent
Home-AgentAnywhere, USA
Internet
Neah BayOutside of wireless LAN range, connected via Globalstar using Collocated Care-of-Address.
Neah BayConnected to FA via wireless LAN at Cleveland harbor
12
Why NASA/USCG/Industry Real world deployment issues can only be
addressed in an operational network. USCG has immediate needs, therefore
willingness to work the problem. USCG has military network requirements. USCG is large enough network to force us to
investigate full scale deployment issues USCG is small enough to work with. NASA has same network issues regarding
mobility, security, network management and scalability.
13
Mobile-Router Advantages Share wireless and network resources with
other organizations $$$ savings
Set and forget No onsite expertise required However, you still have to engineer the network
Continuous Connectivity (May or may not be important to your
organization) Robust
Secondary Home Agent (Dynamic HA)
14
Mobile Network Design Goals Secure Scalable Manageable Ability to sharing network
infrastructure Robust
15
PublicInternet
FA
FA
MR
MR
MR
US Coast Guard
Canadian Coast Guard ACME Shipping
HA
HA
HA
HA
ACMESHIPPING
MR
US Navy
Shared Network Infrastructure
Encrypting wireless links makes it very difficult to share infrastructure.This is a policy issue.
16
Secondary Home Agent(Dynamic HA)
PrimaryHome Agent
SecondaryHome Agent
Reparenting Home AgentHelps resolve triangular routingProblem over long distances
X
17
Emergency Backup(Hub / Spoke Network)
If primary control site becomesphysically inaccessible but can be electronically connected, asecondary site can be established.
If primary control site is physically incapacitated, there is no backup capability.
18
Secondary Home Agent(Fully Meshed Network)
1
2
3
4
5
If primary control site is physically incapacitated, a second or third or forth site take over automatically.
19
We Are Running with Reverse Tunneling Pros
Ensures topologically correct addresses on foreign networks
Required as requests from MR LAN hosts must pass through Proxy inside main firewall
Greatly simplifies setup and management of security associations in encryptors
Greatly simplifies multicast – HA makes for an excellent rendezvous point.
Mobile Router does NOT have to be in public address space so long as the Collocated Care-of-Address is.
Cons Uses additional bandwidth Destroys route optimization
Internet
WB
WB
WB
WB
WB
Globalstar link usesCollocated COA
FA - CLEVELAND
HA
FA - DETROIT
Open Internet to HA
Satellite AntennaSystem
VOIP
VOIP
Encr
Encr
USCGIntranet
AmeritechDSL / with Subnet
GlobalStarNetwork
(NATing from Public to Private)
HA(Loopback has Public Address)
Public Address
MR(Loopback has Public Address)
Neah Bay(Protected LAN)
APKnetDSL / with Subnet
MR does not have to be in public address spacewhen using reverse tunneling, However, the FA or CCoA doesIn order to transition the Internet
MobileLAN
10.x.x.x
INTERNET USCGINTRANET
10.x.x.x
FA - Detroit
FA Cleveland
HA
Encryption
PR
OX
Y
En
cryp
tio
n
802.11b link
FIR
EW
AL
LPublic Address
USCG Officer’s Club
EAST
WEST
Dock
EAST
WEST
Dock
Encrypted NetworkData Transfers
22
Use and Deployments 1st Demonstrated August 23 & November
6, 2002 Used in operational setting July – Sept
2003 New York and Boston Harbor
NY had no land line Boston land line was poor – switched to satellite
Used Oct – Nov 2003 at shipyard during maintenance 802.11b at 11 Mbps
MRPublic
MobileLAN
10.x.x.x
INTERNET
INTRANET10.x.x.x
FA – ClevelandPrivate
HAPublic
PR
OX
Y
PIX-506
802.11b link
FA - Detroit
Operational SystemHome Agent is incorporatedwith the firewall and proxy
With Acceptabl
eEncryption
Goal – Have mobile utilizeboth Public and Privateinfrastructure.
HA
Encryptor
Internet
PrivateLeased Line
USCGIntranet
Encryptor
Fed BldgRouter
MR
Neah Bay LAN
DocksideRouter
Umbilical Cord(Connected When
Docked)
RIPv2
Maintaining Two Networks(Routing over Layer-3 Encryptors)
ENCRYPTOR
ENCRYPTOR
Mobile Router
ForeignAgent
ICMPRouter
Discovery
Decrementing TTL in Layer-3 encryptorsdisables routing protocols.
26
Globalstar/Sea Tel MCM-8 Initial market addresses maritime and
pleasure boaters. Client / Server architecture – a common
architecture Current implementation requires call to be
initiated by client (ship). Multiplexes eight channels to obtain 56 kbps
total data throughput. Full bandwidth-on-demand.
Requires use of Collocated Care-of-Address
27
Satellite Coverage
Globalstar
From SaVi
INMARSAT
28
Link Performance Considerations
11Mbps 128 kbps 11Mbps
29
Cost of Connectivity (Examples)
30
Deployment issues (mobile) Equipment Costs Service Cost Network Peculiarities
Network Address Translators Performance Enhancing Proxies Security Mechanisms
Packet Filtering Connection Mechanisms
Smart Card Authentication MAC and/or Static Key (manual login is unacceptable)
31
NASA’s Mobile Network Needs Space-based systems Aeronautics (in partnership with
FAA) Weather Dissemination Air Traffic Management Free Flight
Terrestrial (surface) Systems Rovers Astronauts
Earth Observation
T1T2?
T3
Sensor Web
34
Pick “Papers and Presentations” at http://roland.grc.nasa.gov/~ivancic/
Neah Bay
35
Backup Slides
36
Networks in Motion (NEMO) Experiments
IPv4&
IPv6
PublicInternet
PrivateIntranet
PROXY
ENCRYPTOR
ENCRYPTOR
Secure Mobile LAN
Mobile Router
CorrespondingPublic Node
CorrespondingPrivate Node
HomeAgent
PublicInternet
PrivateIntranet
PROXY
ENCRYPTOR
ENCRYPTOR
Secure Mobile LAN
Mobile Router
CorrespondingPublic Node
CorrespondingPrivate Node
HomeAgent
PublicInternet
PrivateIntranet
PROXY
ENCRYPTOR
ENCRYPTOR
Secure Mobile LAN Mobile Router
CorrespondingPublic Node
CorrespondingPrivate Node
HomeAgent
PublicInternet
PrivateIntranet
PROXY
ENCRYPTOR
ENCRYPTOR
Secure Mobile LAN Mobile Router
CorrespondingPublic Node
CorrespondingPrivate Node
HomeAgent
xProxy blocks
Communication Initiated outside the
Firewall
PublicInternet
PrivateIntranet
PROXY
ENCRYPTOR
ENCRYPTOR
Secure Mobile LAN Mobile Router
CorrespondingPublic Node
CorrespondingPrivate Node
HomeAgent
44
ENCRYPTORENCRYPTOR
Mobile Router
ForeignAgent
Ouch!
45
46
47
Layer 2 Technology
GlobalstarMCM-8
Hypergain802.11b
Flat Panel
8 dBiDipole
L3-Comm15 dBic
Tracking Antenna
Sea Tel Tracking Antenna
MobileLAN
10.x.x.x
INTERNET USCGINTRANET
10.x.x.x
FA - Detroit
FA – Cleveland
HA
Encryption
PR
OX
Y
En
cryp
tio
n
802.11b link
FIR
EW
AL
LPublic Address
MRTunnel
Endpoint(Public Space)
HATunnel Endpoint(Public Space)
MR does not have to be in public address spacewhen using reverse tunneling, However, the FA or CCoA do.
MobileLAN
10.x.x.x
INTERNET USCGINTRANET
10.x.x.x
FA - Detroit
FA Cleveland
HA
Encryption
PR
OX
Y
En
cryp
tio
n
802.11b link
FIR
EW
AL
LPublic Address
USCG Officer’s Club
EAST
WEST
Dock
EAST
WEST
Dock
Open NetworkData Transfers
MobileLAN
10.x.x.x
En
cryp
tio
n
EAST
WEST
Dock
RF Bandwidth
1.0 Mbps (manually set)
1.0 Mbps (manually set)
11.0 Mbps (auto-negotiated and shared with Officer’s Club)
7 Kbps to 56 Kbps in 7 Kbps chunks (1 to 2.5 seconds delay)
51
Wireless Only? Wireless can be jammed (intentionally
or unintentionally) Particularly unlicensed spectrum such as
802.11 Satellites is a bit harder Solution is to find interferer and make
them stop. You may still want land line connections
Mobile Routing can be used over land lines.