Secure Mobile Networks

8/10/2019 Secure Mobile Networks

1/55

1

Securing Mobile Networks

An Enabling Technology for

National and InternationalSecurity and Beyond


2/55

2

Goals for November 6th Highlight Mobile Networking Technology

Emphasizing National and International

Security today due to time limitations. Discuss security policy

Enabling shared infrastructure (whenreasonable)

Next Steps (Afternoon Session)

Other Items (Afternoon Session)


3/55

3

Todays Audience Big Picture People

Policy Makers

Media

Code Writers

Implementers

Please, dont be afraid to ask questions.


4/55

Neah Bay / Mobile Router Project

Clevelan

d

Detroit

Foreign-Agent

Foreign-Agent

Somewhere, USAForeign-Agent

Home-Agent

Anywhere, USA

Internet

Neah BayOutside of wireless LAN range,

connected to FA via

Globalstar.

Neah BayConnected to FA via

wireless LAN at Cleveland

harbor


5/55

5

Why NASA/USCG/Industry Real world deployment issues can only be

addressed in an operational network.

USCG has immediate needs, thereforewillingness to work the problem.

USCG has military network requirements.

USCG is large enough network to force us to

investigate full scale deployment issues USCG is small enough to work with.

NASA has same network issues regardingmobility, security, network management and

scalability.


6/55

6

Mobile-Router Advantages Share wireless and network resources with

other organizations $$$ savings

Set and forget No onsite expertise required

However, you still have to engineer the network

Continuous Connectivity (May or may not be important to your

organization)

Robust

Secondary Home Agent (Reparenting of HA)


7/557

Mobile Network Design Goals Secure

Scalable

Manageable

Ability to sharing network infrastructure

Robust


8/558

Public

Internet

FA

FA

MR

MR

MR

US Coast Guard

Canadian Coast Guard ACME Shipping

HA

HA

HA

HA

ACME

SHIPPING

M

R

US Navy

Shared Network Infrastructure

Encrypting wireless linksmakes it very difficult toshare infrastructure.

This is a policy issue.


9/559

Secondary Home Agent

(reparenting the HA)

Primary

Home Agent

SecondaryHome Agent

Reparenting Home Agent

Helps resolve triangular routing

Problem over long distances

X


10/5510

Emergency Backup

(Hub / Spoke Network)If primary control site becomesphysically inaccessible but can beelectronically connected, asecondary site can be established.

If primary control site is

physically incapacitated, thereis no backup capability.


11/5511

Secondary Home Agent

(Fully Meshed Network)

1

2

3

4

5

If primary control site is physically incapacitated, asecond or third or forth site take over automatically.


12/5512

We Are Running with Reverse

Tunneling Pros

Ensures topologically correct addresses on foreignnetworks

Required as requests from MR LAN hosts must passthrough Proxy inside main firewall

Greatly simplifies setup and management of securityassociations in encryptors

Greatly simplifies multicastHA makes for an excellent

rendezvous point. Cons

Uses additional bandwidth

Destroys route optimization


13/55

Mobile

LAN

10.x.x.x

INTERNET USCG

INTRANET

10.x.x.x

FA - Detroit

FACleveland

HA

Encryption

PROXY

Encryption

802.11b link

FIREWALL

Public Address

MR

TunnelEndpoint

(Public Space)

HA

Tunnel Endpoint

(Public Space)


14/55

Mobile

LAN

10.x.x.x

INTERNET USCG

INTRANET

10.x.x.x

FA - Detroit

FA

Cleveland

HA

Encryption

PROXY

Encryption

802.11b link

FIREWALL

Public Address

USCG Officers Club

EAST

WEST

Dock

EAST

WEST

Dock

Open Network

Data Transfers


15/55

Mobile

LAN

10.x.x.x

INTERNET USCG

INTRANET

10.x.x.x

FA - Detroit

FA

Cleveland

HA

Encryption

PROXY

Encryption

802.11b link

FIREWALL

Public Address

USCG Officers Club

EAST

WEST

Dock

EAST

WEST

Dock

Encrypted Network

Data Transfers


16/55

Mobile

LAN

10.x.x.x

INTERNET USCG

INTRANET

10.x.x.x

FA - Detroit

FA

Cleveland

HA

Encryption

PROXY

Encryption

802.11b link

FIREWALL

Public Address

Open

Network

Monitoring

Point

Open

Network

Monitoring

PointUSCG Officers Club

EAST

WEST

Dock

EAST

WEST

Dock

Monitoring Points


17/55

Mobile

LAN

10.x.x.x

INTERNET USCG

INTRANET

10.x.x.x

FA - Detroit

FA

Cleveland

HA

Encryption

PROXY

Encryption

802.11b link

FIREWALL

Public Address

USCG Officers Club

EAST

WEST

Dock

EAST

WEST

Dock

Note, We are monitoring

The Neah Bay.

We are using lots of bandwidth

To do this.


18/55

Mobile

LAN

10.x.x.x

INTERNET USCG

INTRANET

10.x.x.x

FA - Detroit

FA

Cleveland

HA

Encryption

PROXY

Encryption

802.11b link

FIREWALL

Public Address

USCG Officers Club

EAST

WEST

Dock

EAST

WEST

Dock

Note, We are monitoring

The Neah Bay.

We are using lots of bandwidth

To do this.


19/55

MobileLAN

10.x.x.x

Encryption

EAST

WEST

Dock

RF Bandwidth

1.0 Mbps (manually set)

1.0 Mbps (manually set)

11.0 Mbps (auto-negotiated and shared with Officers Club)

7 Kbps to 56 Kbps in 7 Kbps chunks (1 to 2.5 seconds delay)


20/55

20

Wireless Only? Wireless can be jammed

Particularly unlicensed spectrum such as

802.11 Satellites is a bit harder

Solution is to find interferer and make

them stop.You still want land line connections

Mobile Routing can be used over land lines.


21/55

21

Globalstar/Sea Tel MCM-8 Initial market addresses maritime and

pleasure boaters.

Client / Server architecture Current implementation requires call to be initiated

by client (ship).

Multiplexes eight channels to obtain 56 kbps total

data throughput. Full bandwidth-on-demand.

Requires use of Collocated Care-of-Address


22/55

22

Satellite Coverage

Globalstar

From SaVi

INMARSAT


23/55

23

Layer 2 Technology

Globalstar

MCM-8

Hypergain802.11b

Flat Panel

8 dBi

Dipole

L3-Comm

15 dBic

Tracking Antenna

Sea Tel TrackingAntenna


24/55

Backbone Network Topology

Detail Network Diagram

(Intentionally Blank)


25/55

Neah Bay Network Topology




26/55

USCG Officers Club Network Topology




27/55

27

Securing Mobile and WirelessNetworks

Some ways may be better

than others!


28/55

28

Constraints / Tools Policy

Architecture

Protocols


29/55

29

Public

Internet

FA

MR

US Coast Guard

Mobile Network

HA

US Coast Guard

Operational Network

(Private Address Space)

CNIPv4 Utopian Operation

Triangular Routing


30/55

30

Public

Internet

FA

MR

US Coast Guard

Mobile Network

HA

US Coast Guard

Operational Network


CNIPv4 Real World Operation

PROXy

Proxy had not originated therequest; therefore, theresponse is squelched.Peer-to-peer networkingbecomes problematic at best.

Glenn Research Center Policy:No UDP, No IPSec, etcMobile-IP stopped in its tracks.Whats your policy?

Ingress or Egress Filtering stopsTransmission due to topologicallyIncorrect source address. IPv6

Corrects this problem.

USCG Requires 3DES encryption.WEP is not acceptable due toknown deficiencies.


31/55

31

Public

Internet

FA

MR

US Coast Guard

Mobile Network

HA

US Coast Guard

Operational Network


CN

Current Solution

Reverse Tunneling

PROXy

Anticipate similar problems forIPv6.

Adds Overheadand kills route

optimization.


32/55

32

Public

Internet

FA

FA

MR

MR

MR

US Coast Guard

Canadian Coast Guard ACME Shipping

HA

HA

HA

HA

ACME

SHIPPING

M

R

US Navy

Shared Network Infrastructure

Encrypting wireless linksmakes it very difficult toshare infrastructure.

This is a policy issue.


33/55

Security

Security Bandwidth Utilization Security Performance Tunnels Tunnels Tunnels and more Tunnels Performance Security

User turns OFF Security to make system usable!

Thus, we need more bandwidth to ensure security.

PAYLOADHEADER

ORIGINAL PACKET

HEADER

VIRTUAL PRIVATE NETWORK

HEADER

ENCRYPTION AT THE NETWORK LAYER

HEADER

ENCRYPTION ON THE RF LINK


34/55

34

Additional and Future

Security SolutionsAAA

Routers (available today)

Wireless bridges and access points(available 2002)

IPSec on router interface

Encrypted radio links IPSec, type1 or type2, and future improved

WEP


35/55

35

Conclusions Security Breaks Everything

At least it sometimes feels like that.

Need to change policy where appropriate. Need to develop good architectures that

consider how the wireless systems and protocolsoperate.

Possible solutions that should be investigated:

Dynamic, Protocol aware firewalls and proxies.

Possibly incorporated with Authentication and Authorization.


36/55

36

Moblile-IP Operation

IPv4

M bil IP (IP 4)


37/55

Mobile Node

Foreign AgentForeign Agent

Home Agent

139.88.111.1

143.232.48.1

NASA Ames

Corresponding Node

Internet or Intranet

139.88.112.1

NASA Glenn

143.232.48.1

Home IP

128.183.13.103

Care-Off-Address

139.88.111.50

128.183.13.1

NASA Goddard

Mobile-IP (IPv4)

M bil R t (IP 4)


38/55

Mobile Router(Mobile Node)

Foreign Agent

Home Agent

Corresponding Node

139.88.112.1

Internet WAN

Tunnel-0

10.2.3.101

128.183.13.1

Internet WAN

Internet

10.2.2.1Roaming

Interface

10.2.3.1

Virtual LAN

Interface

Tunnel-1

128.184.25.1

HA Loopback

Virtual Interface

139.88.100.1

FA WAN

10.2.4.10

MR Loopback

Virtual Interface

COA 139.88.100.1

Mobile-Router (IPv4)

Mobile Router


39/55


Home Agent

Corresponding Node

139.88.112.1

Internet WAN

Tunnel-0

10.2.3.101

128.183.13.1

Internet WAN

10.2.2.1Roaming

Interface

10.2.3.1

Virtual LAN

Interface

Foreign Agent

Tunnel-1

128.184.25.1

HA Loopback

Virtual Interface

139.88.100.1

FA WAN

10.2.4.10

MR Loopback

Virtual Interface

COA 139.88.100.1


Collocated Care-Of-Address

Internet No Foreign Agent

No Second Tunnel


40/55


Home Agent

Corresponding Node

139.88.112.1

Internet WAN

Tunnel-0

10.2.3.101

128.183.13.1

Internet WAN

Internet

10.2.2.1Roaming

Interface

10.2.3.1

Virtual LAN

Interface

128.184.25.1

HA Loopback

Virtual Interface

139.88.100.1

10.2.4.10

MR Loopback

Virtual Interface

COA 139.88.100.1


Collocated Care-Of-Address


41/55

41

Whats Next

The End Game


42/55

42

Mobile Networks Share Network Infrastructure

USCG, Canadian Coast Guard, CommercialShipping, Pleasure Boaters

Open Radio Access / Restricted Network Access Authentication, Authorization and Accounting

Architecture Limited, experimental deployment onboard Neah

Bay Move RIPv2 routing from Fed. Bldg to Neah Bay

Move to full scale deployment Requires full commitment


43/55

MR

Public

Mobile

LAN

10.x.x.x

INTERNET

INTRANET

10.x.x.x

FACleveland

Public

HA

Public

PIX- 506until we install our PIX FW

Then we should not need the baby

PIX.

PROXY

PIX-506

802.11b link

FA - Detroit


44/55


45/55

45

Areas that need to be

addressed Home Agent Placement

Inside or Outside the Firewall

AAA Issues Open Radio Access / Restricted Network Access

Secure Key Management

IPv6 Mobile Networking Development

Work with industry and IETF Develop radio link technology

Enable better connectivity throughout the worldfor both military and aeronautical communications

(voice, video and data).


46/55

46

NASAs Needs

Mobile Networks


47/55

47

Relevant NASA Aeronautics

ProgramsAdvanced Air Transportation

Technology (AATT)

Weather Information Communication(WINCOMM)

Small Aircraft Transportation System

(SATS)


48/55

48

Aeronautic Networking Issues Move to IPv6

IPv6 Mobile Networking

Authentication, Authorization andAccounting

Bandwidth, Bandwidth, Bandwidth

Media Access Policy

Sending of Operations over EntertainmentChannels


49/55

Earth Observation

T1

T2

?

T3


50/55


51/55

51

Space Flight Implementation Sharing Infrastructure

Common Media Access

Common Ground Terminal Capabilites

Common Network Access

AAA

Common Modulation and Coding Software Radio


52/55

Backup


53/55

53

Asymmetrical Pathing

Mobile Router

MilStar,

Globalstar,

Others

DVB

Satellite

Internet

Home Agent

Foreign AgentForeign Agent


54/55

54

Neah Bay


55/55

Papers and Presentationshttp://roland.grc.nasa.gov/~ivancic/papers_presentations/papers.html

or

http://roland.grc.nasa.gov/~ivancic/

and pickPapers and Presentations

Secure Mobile Networks

Documents