Securing Mobile Networks

1

Securing Mobile Networks

An Enabling Technology for National and International

Security and Beyond

2

Goals for November 6th Highlight Mobile Networking

Technology Emphasizing National and International

Security today due to time limitations. Discuss security policy

Enabling shared infrastructure (when reasonable)

Next Steps (Afternoon Session) Other Items (Afternoon Session)

3

Today’s Audience Big Picture People Policy Makers Media Code Writers Implementers

Please, don’t be afraid to ask questions.

Neah Bay / Mobile Router ProjectNeah Bay / Mobile Router Project

Cleveland

Detroit

Foreign-Agent

Foreign-AgentSomewhere, USA

Foreign-Agent

Home-AgentAnywhere, USA

Internet

Neah BayOutside of wireless LAN range, connected to FA via Globalstar.

Neah BayConnected to FA via wireless LAN at Cleveland harbor

5

Why NASA/USCG/Industry Real world deployment issues can only be

addressed in an operational network. USCG has immediate needs, therefore

willingness to work the problem. USCG has military network requirements. USCG is large enough network to force us to

investigate full scale deployment issues USCG is small enough to work with. NASA has same network issues regarding

mobility, security, network management and scalability.

6

Mobile-Router Advantages Share wireless and network resources with

other organizations $$$ savings

Set and forget No onsite expertise required However, you still have to engineer the network

Continuous Connectivity (May or may not be important to your

organization) Robust

Secondary Home Agent (Reparenting of HA)

7

Mobile Network Design Goals Secure Scalable Manageable Ability to sharing network

infrastructure Robust

8

PublicInternet

FA

FA

MR

MRMR

US Coast Guard

Canadian Coast Guard ACME Shipping

HA

HA

HA

HAACME

SHIPPING

MR

US Navy

Shared Network Infrastructure

Encrypting wireless links makes it very difficult to share infrastructure.This is a policy issue.

9

Secondary Home Agent(reparenting the HA)

PrimaryHome Agent

SecondaryHome Agent

Reparenting Home AgentHelps resolve triangular routingProblem over long distances

X

10

Emergency Backup(Hub / Spoke Network)

If primary control site becomesphysically inaccessible but can be electronically connected, asecondary site can be established.

If primary control site is physically incapacitated, there is no backup capability.

11

Secondary Home Agent(Fully Meshed Network)

1

2

3

4

5

If primary control site is physically incapacitated, a second or third or forth site take over automatically.

12

We Are Running with Reverse Tunneling Pros

Ensures topologically correct addresses on foreign networks

Required as requests from MR LAN hosts must pass through Proxy inside main firewall

Greatly simplifies setup and management of security associations in encryptors

Greatly simplifies multicast – HA makes for an excellent rendezvous point.

Cons Uses additional bandwidth Destroys route optimization

MobileLAN10.x.x.x

INTERNET USCGINTRANET

10.x.x.x

FA - Detroit

FA – Cleveland

HA

Encryption

PRO

XY

Encr

yptio

n

802.11b link

FIR

EWA

LLPublic Address

MRTunnel

Endpoint(Public Space)

HATunnel Endpoint(Public Space)

MobileLAN10.x.x.x


10.x.x.x

FA - Detroit

FA Cleveland

HA

Encryption

PRO

XY

Encr

yptio

n

802.11b link

FIR

EWA

LLPublic Address

USCG Officer’s Club

EAST

WEST

Dock

EAST

WEST

Dock

Open NetworkData Transfers

MobileLAN10.x.x.x


10.x.x.x

FA - Detroit

FA Cleveland

HA

Encryption

PRO

XY

Encr

yptio

n

802.11b link

FIR

EWA

LLPublic Address


EAST

WEST

Dock

EAST

WEST

Dock

Encrypted NetworkData Transfers

MobileLAN10.x.x.x


10.x.x.x

FA - Detroit

FA Cleveland

HA

Encryption

PRO

XY

Encr

yptio

n

802.11b link

FIR

EWA

LLPublic Address

OpenNetwork

MonitoringPoint

OpenNetwork

MonitoringPoint


EAST

WEST

Dock

EAST

WEST

Dock

Monitoring Points

MobileLAN10.x.x.x


10.x.x.x

FA - Detroit

FA Cleveland

HA

Encryption

PRO

XY

Encr

yptio

n

802.11b link

FIR

EWA

LLPublic Address


EAST

WEST

Dock

EAST

WEST

Dock

Note, We are monitoringThe Neah Bay.

We are using lots of bandwidthTo do this.

MobileLAN10.x.x.x


10.x.x.x

FA - Detroit

FA Cleveland

HA

Encryption

PRO

XY

Encr

yptio

n

802.11b link

FIR

EWA

LLPublic Address


EAST

WEST

Dock

EAST

WEST

Dock

Note, We are monitoringThe Neah Bay.

We are using lots of bandwidthTo do this.

MobileLAN10.x.x.x

Encr

yptio

n

EAST

WEST

Dock

RF Bandwidth

1.0 Mbps (manually set)

1.0 Mbps (manually set)

11.0 Mbps (auto-negotiated and shared with Officer’s Club)

7 Kbps to 56 Kbps in 7 Kbps chunks (1 to 2.5 seconds delay)

20

Wireless Only? Wireless can be jammed

Particularly unlicensed spectrum such as 802.11

Satellites is a bit harder Solution is to find interferer and make

them stop. You still want land line connections

Mobile Routing can be used over land lines.

21

Globalstar/Sea Tel MCM-8 Initial market addresses maritime and

pleasure boaters. Client / Server architecture

Current implementation requires call to be initiated by client (ship).

Multiplexes eight channels to obtain 56 kbps total data throughput.

Full bandwidth-on-demand. Requires use of Collocated Care-of-Address

22

Satellite Coverage

Globalstar

From SaVi

INMARSAT

23

Layer 2 Technology

GlobalstarMCM-8

Hypergain802.11b

Flat Panel

8 dBiDipole

L3-Comm15 dBic

Tracking Antenna

Sea Tel Tracking Antenna

Backbone Network Topology Detail Network Diagram

(Intentionally Blank)

Neah Bay Network Topology Detail Network Diagram

(Intentionally Blank)

USCG Officer’s Club Network Topology

Detail Network Diagram(Intentionally Blank)

27

Securing Mobile and Wireless Networks

Some ways may be “better” than others!

28

Constraints / Tools Policy Architecture Protocols

29

PublicInternet

FAMR

US Coast GuardMobile Network

HA

US Coast GuardOperational Network

(Private Address Space)

CN

IPv4 Utopian Operation

Triangular Routing

30

PublicInternet

FAMR


HA



CN

IPv4 “Real World” Operation

PROXy

Proxy had not originated the request; therefore, the response is squelched.Peer-to-peer networking becomes problematic at best.

Glenn Research Center Policy:No UDP, No IPSec, etc…Mobile-IP stopped in its tracks.What’s your policy?

Ingress or Egress Filtering stopsTransmission due to topologicallyIncorrect source address. IPv6 Corrects this problem.

USCG Requires 3DES encryption.WEP is not acceptable due to known deficiencies.

31

PublicInternet

FAMR


HA



CN

Current Solution – Reverse Tunneling

PROXy

Anticipate similar problems for IPv6.

Adds Overhead and kills route optimization.

32

PublicInternet

FA

FA

MR

MRMR

US Coast Guard

Canadian Coast Guard ACME Shipping

HA

HA

HA

HAACME

SHIPPING

MR

US Navy

Shared Network Infrastructure

Encrypting wireless links makes it very difficult to share infrastructure.This is a policy issue.

Security• Security Bandwidth Utilization • Security Performance • Tunnels Tunnels Tunnels and more Tunnels• Performance Security

User turns OFF Security to make system usable!• Thus, we need more bandwidth to ensure

security.

PAYLOADHEADER

ORIGINAL PACKET

HEADER

VIRTUAL PRIVATE NETWORK

HEADER

ENCRYPTION AT THE NETWORK LAYER

HEADER

ENCRYPTION ON THE RF LINK

34

Additional and FutureSecurity Solutions AAA

Routers (available today) Wireless bridges and access points

(available 2002) IPSec on router interface Encrypted radio links

IPSec, type1 or type2, and future improved WEP

35

Conclusions Security Breaks Everything

At least it sometimes feels like that. Need to change policy where appropriate. Need to develop good architectures that

consider how the wireless systems and protocols operate.

Possible solutions that should be investigated: Dynamic, Protocol aware firewalls and proxies.

Possibly incorporated with Authentication and Authorization.

36

Moblile-IP Operation

IPv4

Mobile Node

Foreign Agent Foreign Agent

Home Agent

“ ”

139.88.111.1

143.232.48.1NASA Ames

Corresponding Node

Internet or Intranet

139.88.112.1NASA Glenn

143.232.48.1

Home IP 128.183.13.103Care-Off-Address139.88.111.50

128.183.13.1NASA Goddard

Mobile-IP (IPv4)

Mobile Router(Mobile Node)

Foreign Agent

Home AgentCorresponding Node

139.88.112.1Internet WAN

Tunnel-0

10.2.3.101


Internet

10.2.2.1RoamingInterface

10.2.3.1Virtual LANInterface

Tunnel-1

128.184.25.1HA LoopbackVirtual Interface

139.88.100.1FA WAN

10.2.4.10MR Loopback

Virtual InterfaceCOA 139.88.100.1

Mobile-Router (IPv4)Mobile Router




Tunnel-0

10.2.3.101




Foreign Agent Tunnel-1


139.88.100.1FA WAN



Mobile-Router (IPv4)Collocated Care-Of-Address

Internet No Foreign AgentNo Second Tunnel




Tunnel-0

10.2.3.101


Internet




139.88.100.1



Mobile-Router (IPv4)Collocated Care-Of-Address

41

What’s Next

The End Game

42

Mobile Networks Share Network Infrastructure

USCG, Canadian Coast Guard, Commercial Shipping, Pleasure Boaters

Open Radio Access / Restricted Network Access Authentication, Authorization and Accounting

Architecture Limited, experimental deployment onboard

Neah Bay Move RIPv2 routing from Fed. Bldg to Neah Bay

Move to full scale deployment Requires full commitment

MRPublic

MobileLAN10.x.x.x

INTERNET

INTRANET10.x.x.x

FA – ClevelandPublic

HAPublic

PIX- 506 – until we install our PIX FWThen we should not need the babyPIX.

PRO

XY

PIX-506

802.11b link

FA - Detroit

44

HA Outside Main Firewall Firewall between MR interfaces and

public Internet as well as the HA and Private Intranet.

Reverse tunneling required as requests from MR LAN hosts must pass through Proxy inside main firewall.

45

Areas that need to be addressed Home Agent Placement

Inside or Outside the Firewall AAA Issues

Open Radio Access / Restricted Network Access Secure Key Management

IPv6 Mobile Networking Development Work with industry and IETF

Develop radio link technology Enable better connectivity throughout the world

for both military and aeronautical communications (voice, video and data).

46

NASA’s Needs

Mobile Networks

47

Relevant NASA Aeronautics Programs Advanced Air Transportation

Technology (AATT) Weather Information

Communication (WINCOMM) Small Aircraft Transportation

System (SATS)

48

Aeronautic Networking Issues

Move to IPv6 IPv6 Mobile Networking

Authentication, Authorization and Accounting

Bandwidth, Bandwidth, Bandwidth Media Access Policy

Sending of Operations over Entertainment Channels

Earth Observation

T1T2?

T3

51

Space Flight Implementation Sharing Infrastructure

Common Media Access Common Ground Terminal Capabilites Common Network Access

AAA Common Modulation and Coding

Software Radio

Backup

53

Asymmetrical Pathing

Mobile Router

MilStar,Globalstar,

Others

DVBSatellite

Internet

Home Agent

Foreign AgentForeign Agent

54

Neah Bay

55

Papers and Presentationshttp://roland.grc.nasa.gov/~ivancic/papers_presentations/

papers.html or

http://roland.grc.nasa.gov/~ivancic/ and pick

“Papers and Presentations”

Documents

Securing Mobile Networks