1 / 55

Securing Mobile Networks

Securing Mobile Networks. An Enabling Technology for National and International Security and Beyond. Goals for November 6th. Highlight Mobile Networking Technology Emphasizing National and International Security today due to time limitations. Discuss security policy

klaus
Télécharger la présentation

Securing Mobile Networks

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Securing Mobile Networks An Enabling Technology for National and International Security and Beyond

  2. Goals for November 6th • Highlight Mobile Networking Technology • Emphasizing National and International Security today due to time limitations. • Discuss security policy • Enabling shared infrastructure (when reasonable) • Next Steps (Afternoon Session) • Other Items (Afternoon Session)

  3. Today’s Audience • Big Picture People • Policy Makers • Media • Code Writers • Implementers Please, don’t be afraid to ask questions.

  4. Neah Bay / Mobile Router Project Detroit Foreign-Agent Neah Bay Outside of wireless LAN range, connected to FA via Globalstar. Neah Bay Connected to FA via wireless LAN at Cleveland harbor Foreign-Agent Somewhere, USA Cleveland Foreign-Agent Internet Home-Agent Anywhere, USA

  5. Why NASA/USCG/Industry • Real world deployment issues can only be addressed in an operational network. • USCG has immediate needs, therefore willingness to work the problem. • USCG has military network requirements. • USCG is large enough network to force us to investigate full scale deployment issues • USCG is small enough to work with. • NASA has same network issues regarding mobility, security, network management and scalability.

  6. Mobile-Router Advantages • Share wireless and network resources with other organizations • $$$ savings • Set and forget • No onsite expertise required • However, you still have to engineer the network • Continuous Connectivity • (May or may not be important to your organization) • Robust • Secondary Home Agent (Reparenting of HA)

  7. Mobile Network Design Goals • Secure • Scalable • Manageable • Ability to sharing network infrastructure • Robust

  8. MR MR ACME Shipping Canadian Coast Guard FA FA ACME SHIPPING HA Public Internet MR HA US Coast Guard HA Encrypting wireless links makes it very difficult to share infrastructure. This is a policy issue. MR HA US Navy Shared Network Infrastructure

  9. X Secondary Home Agent Secondary Home Agent(reparenting the HA) Primary Home Agent Reparenting Home Agent Helps resolve triangular routing Problem over long distances

  10. If primary control site becomes physically inaccessible but can be electronically connected, a secondary site can be established. If primary control site is physically incapacitated, there is no backup capability. Emergency Backup(Hub / Spoke Network)

  11. If primary control site is physically incapacitated, a second or third or forth site take over automatically. Secondary Home Agent(Fully Meshed Network) 3 5 1 4 2

  12. We Are Running with Reverse Tunneling • Pros • Ensures topologically correct addresses on foreign networks • Required as requests from MR LAN hosts must pass through Proxy inside main firewall • Greatly simplifies setup and management of security associations in encryptors • Greatly simplifies multicast – HA makes for an excellent rendezvous point. • Cons • Uses additional bandwidth • Destroys route optimization

  13. MR Tunnel Endpoint (Public Space) PROXY USCG INTRANET 10.x.x.x HA Tunnel Endpoint (Public Space) Encryption Mobile LAN 10.x.x.x INTERNET FIREWALL FA - Detroit Encryption HA FA – Cleveland 802.11b link Public Address

  14. PROXY USCG INTRANET 10.x.x.x Open Network Data Transfers Dock Encryption Mobile LAN 10.x.x.x EAST WEST INTERNET FIREWALL FA - Detroit Dock Encryption EAST WEST HA FA Cleveland 802.11b link Public Address USCG Officer’s Club

  15. PROXY USCG INTRANET 10.x.x.x Encrypted Network Data Transfers Dock Encryption Mobile LAN 10.x.x.x EAST WEST INTERNET FIREWALL FA - Detroit Encryption EAST WEST HA Dock FA Cleveland 802.11b link Public Address USCG Officer’s Club

  16. PROXY USCG INTRANET 10.x.x.x Monitoring Points Dock Encryption Mobile LAN 10.x.x.x EAST WEST INTERNET FIREWALL Open Network Monitoring Point FA - Detroit Encryption EAST WEST HA Dock FA Cleveland 802.11b link Open Network Monitoring Point Public Address USCG Officer’s Club

  17. PROXY USCG INTRANET 10.x.x.x Note, We are monitoring The Neah Bay. We are using lots of bandwidth To do this. Dock Encryption Mobile LAN 10.x.x.x EAST WEST INTERNET FIREWALL FA - Detroit Dock Encryption EAST WEST HA FA Cleveland 802.11b link Public Address USCG Officer’s Club

  18. PROXY USCG INTRANET 10.x.x.x Note, We are monitoring The Neah Bay. We are using lots of bandwidth To do this. Dock Encryption Mobile LAN 10.x.x.x EAST WEST INTERNET FIREWALL FA - Detroit Dock Encryption EAST WEST HA FA Cleveland 802.11b link Public Address USCG Officer’s Club

  19. RF Bandwidth 7 Kbps to 56 Kbps in 7 Kbps chunks (1 to 2.5 seconds delay) 11.0 Mbps (auto-negotiated and shared with Officer’s Club) Dock Encryption Mobile LAN 10.x.x.x EAST 1.0 Mbps (manually set) 1.0 Mbps (manually set) WEST

  20. Wireless Only? • Wireless can be jammed • Particularly unlicensed spectrum such as 802.11 • Satellites is a bit harder • Solution is to find interferer and make them stop. • You still want land line connections • Mobile Routing can be used over land lines.

  21. Globalstar/Sea Tel MCM-8 • Initial market addresses maritime and pleasure boaters. • Client / Server architecture • Current implementation requires call to be initiated by client (ship). • Multiplexes eight channels to obtain 56 kbps total data throughput. • Full bandwidth-on-demand. • Requires use of Collocated Care-of-Address

  22. Satellite Coverage Globalstar INMARSAT From SaVi

  23. Layer 2 Technology Globalstar MCM-8 L3-Comm 15 dBic Tracking Antenna Hypergain 802.11b Flat Panel 8 dBi Dipole Sea Tel Tracking Antenna

  24. Backbone Network Topology Detail Network Diagram (Intentionally Blank)

  25. Neah Bay Network Topology Detail Network Diagram (Intentionally Blank)

  26. USCG Officer’s Club Network Topology Detail Network Diagram (Intentionally Blank)

  27. Securing Mobile and Wireless Networks Some ways may be “better” than others!

  28. Constraints / Tools • Policy • Architecture • Protocols

  29. IPv4 Utopian Operation CN US Coast Guard Operational Network (Private Address Space) Public Internet US Coast Guard Mobile Network HA Triangular Routing FA MR

  30. Proxy had not originated the request; therefore, the response is squelched. Peer-to-peer networking becomes problematic at best. Glenn Research Center Policy: No UDP, No IPSec, etc… Mobile-IP stopped in its tracks. What’s your policy? USCG Requires 3DES encryption. WEP is not acceptable due to known deficiencies. Ingress or Egress Filtering stops Transmission due to topologically Incorrect source address. IPv6 Corrects this problem. IPv4 “Real World” Operation CN US Coast Guard Operational Network (Private Address Space) Public Internet P R O X y US Coast Guard Mobile Network HA FA MR

  31. Current Solution – Reverse Tunneling CN Adds Overhead and kills route optimization. US Coast Guard Operational Network (Private Address Space) Public Internet P R O X y US Coast Guard Mobile Network HA FA Anticipate similar problems for IPv6. MR

  32. MR MR ACME Shipping Canadian Coast Guard FA FA ACME SHIPPING HA Public Internet MR HA US Coast Guard HA Encrypting wireless links makes it very difficult to share infrastructure. This is a policy issue. MR HA US Navy Shared Network Infrastructure

  33. ENCRYPTION ON THE RF LINK ENCRYPTION AT THE NETWORK LAYER VIRTUAL PRIVATE NETWORK HEADER HEADER HEADER HEADER PAYLOAD ORIGINAL PACKET Security • Security  Bandwidth Utilization  • Security  Performance  • Tunnels Tunnels Tunnels and more Tunnels • Performance  Security   User turns OFF Security to make system usable! • Thus, we need more bandwidth to ensure security.

  34. Additional and FutureSecurity Solutions • AAA • Routers (available today) • Wireless bridges and access points (available 2002) • IPSec on router interface • Encrypted radio links • IPSec, type1 or type2, and future improved WEP

  35. Conclusions • Security Breaks Everything  • At least it sometimes feels like that. • Need to change policy where appropriate. • Need to develop good architectures that consider how the wireless systems and protocols operate. • Possible solutions that should be investigated: • Dynamic, Protocol aware firewalls and proxies. • Possibly incorporated with Authentication and Authorization.

  36. Moblile-IP Operation IPv4

  37. Internet or Intranet “ ” Mobile-IP (IPv4) Mobile Node Home IP 128.183.13.103 Care-Off-Address 139.88.111.50 Foreign Agent Foreign Agent 143.232.48.1 139.88.111.1 139.88.112.1 NASA Glenn 143.232.48.1 NASA Ames 128.183.13.1 NASA Goddard Corresponding Node Home Agent

  38. Internet Mobile-Router (IPv4) Mobile Router 10.2.3.101 10.2.3.1 Virtual LAN Interface Mobile Router (Mobile Node) 10.2.2.1 Roaming Interface 10.2.4.10 MR Loopback Virtual Interface COA 139.88.100.1 Tunnel-0 139.88.100.1 FA WAN Tunnel-1 Foreign Agent 139.88.112.1 Internet WAN 128.183.13.1 Internet WAN Home Agent 128.184.25.1 HA Loopback Virtual Interface Corresponding Node

  39. Tunnel-1 Foreign Agent No Foreign Agent No Second Tunnel Internet Mobile-Router (IPv4) Collocated Care-Of-Address 10.2.3.101 10.2.3.1 Virtual LAN Interface Mobile Router (Mobile Node) 10.2.2.1 Roaming Interface 10.2.4.10 MR Loopback Virtual Interface COA 139.88.100.1 Tunnel-0 139.88.100.1 FA WAN 139.88.112.1 Internet WAN 128.183.13.1 Internet WAN Home Agent 128.184.25.1 HA Loopback Virtual Interface Corresponding Node

  40. Internet Mobile-Router (IPv4) Collocated Care-Of-Address 10.2.3.101 10.2.3.1 Virtual LAN Interface Mobile Router (Mobile Node) 10.2.2.1 Roaming Interface 10.2.4.10 MR Loopback Virtual Interface COA 139.88.100.1 Tunnel-0 139.88.100.1 139.88.112.1 Internet WAN 128.183.13.1 Internet WAN Home Agent 128.184.25.1 HA Loopback Virtual Interface Corresponding Node

  41. What’s Next The End Game

  42. Mobile Networks • Share Network Infrastructure • USCG, Canadian Coast Guard, Commercial Shipping, Pleasure Boaters • Open Radio Access / Restricted Network Access • Authentication, Authorization and Accounting • Architecture • Limited, experimental deployment onboard Neah Bay • Move RIPv2 routing from Fed. Bldg to Neah Bay • Move to full scale deployment • Requires full commitment

  43. INTRANET 10.x.x.x INTERNET PIX-506 Mobile LAN 10.x.x.x MR Public PROXY FA – Cleveland Public FA - Detroit HA Public 802.11b link PIX- 506 – until we install our PIX FW Then we should not need the baby PIX.

  44. HA Outside Main Firewall • Firewall between MR interfaces and public Internet as well as the HA and Private Intranet. • Reverse tunneling required as requests from MR LAN hosts must pass through Proxy inside main firewall.

  45. Areas that need to be addressed • Home Agent Placement • Inside or Outside the Firewall • AAA Issues • Open Radio Access / Restricted Network Access • Secure Key Management • IPv6 Mobile Networking Development • Work with industry and IETF • Develop radio link technology • Enable better connectivity throughout the world for both military and aeronautical communications (voice, video and data).

  46. NASA’s Needs Mobile Networks

  47. Relevant NASA Aeronautics Programs • Advanced Air Transportation Technology (AATT) • Weather Information Communication (WINCOMM) • Small Aircraft Transportation System (SATS)

  48. Aeronautic Networking Issues • Move to IPv6 • IPv6 Mobile Networking • Authentication, Authorization and Accounting • Bandwidth, Bandwidth, Bandwidth • Media Access • Policy • Sending of Operations over Entertainment Channels

  49. T3 T1 T2 ? Earth Observation

More Related