8/10/2019 Secure Mobile Networks
1/55
1
Securing Mobile Networks
An Enabling Technology for
National and InternationalSecurity and Beyond
8/10/2019 Secure Mobile Networks
2/55
2
Goals for November 6th Highlight Mobile Networking Technology
Emphasizing National and International
Security today due to time limitations. Discuss security policy
Enabling shared infrastructure (whenreasonable)
Next Steps (Afternoon Session)
Other Items (Afternoon Session)
8/10/2019 Secure Mobile Networks
3/55
3
Todays Audience Big Picture People
Policy Makers
Media
Code Writers
Implementers
Please, dont be afraid to ask questions.
8/10/2019 Secure Mobile Networks
4/55
Neah Bay / Mobile Router Project
Clevelan
d
Detroit
Foreign-Agent
Foreign-Agent
Somewhere, USAForeign-Agent
Home-Agent
Anywhere, USA
Internet
Neah BayOutside of wireless LAN range,
connected to FA via
Globalstar.
Neah BayConnected to FA via
wireless LAN at Cleveland
harbor
8/10/2019 Secure Mobile Networks
5/55
5
Why NASA/USCG/Industry Real world deployment issues can only be
addressed in an operational network.
USCG has immediate needs, thereforewillingness to work the problem.
USCG has military network requirements.
USCG is large enough network to force us to
investigate full scale deployment issues USCG is small enough to work with.
NASA has same network issues regardingmobility, security, network management and
scalability.
8/10/2019 Secure Mobile Networks
6/55
6
Mobile-Router Advantages Share wireless and network resources with
other organizations $$$ savings
Set and forget No onsite expertise required
However, you still have to engineer the network
Continuous Connectivity (May or may not be important to your
organization)
Robust
Secondary Home Agent (Reparenting of HA)
8/10/2019 Secure Mobile Networks
7/557
Mobile Network Design Goals Secure
Scalable
Manageable
Ability to sharing network infrastructure
Robust
8/10/2019 Secure Mobile Networks
8/558
Public
Internet
FA
FA
MR
MR
MR
US Coast Guard
Canadian Coast Guard ACME Shipping
HA
HA
HA
HA
ACME
SHIPPING
M
R
US Navy
Shared Network Infrastructure
Encrypting wireless linksmakes it very difficult toshare infrastructure.
This is a policy issue.
8/10/2019 Secure Mobile Networks
9/559
Secondary Home Agent
(reparenting the HA)
Primary
Home Agent
SecondaryHome Agent
Reparenting Home Agent
Helps resolve triangular routing
Problem over long distances
X
8/10/2019 Secure Mobile Networks
10/5510
Emergency Backup
(Hub / Spoke Network)If primary control site becomesphysically inaccessible but can beelectronically connected, asecondary site can be established.
If primary control site is
physically incapacitated, thereis no backup capability.
8/10/2019 Secure Mobile Networks
11/5511
Secondary Home Agent
(Fully Meshed Network)
1
2
3
4
5
If primary control site is physically incapacitated, asecond or third or forth site take over automatically.
8/10/2019 Secure Mobile Networks
12/5512
We Are Running with Reverse
Tunneling Pros
Ensures topologically correct addresses on foreignnetworks
Required as requests from MR LAN hosts must passthrough Proxy inside main firewall
Greatly simplifies setup and management of securityassociations in encryptors
Greatly simplifies multicastHA makes for an excellent
rendezvous point. Cons
Uses additional bandwidth
Destroys route optimization
8/10/2019 Secure Mobile Networks
13/55
Mobile
LAN
10.x.x.x
INTERNET USCG
INTRANET
10.x.x.x
FA - Detroit
FACleveland
HA
Encryption
PROXY
Encryption
802.11b link
FIREWALL
Public Address
MR
TunnelEndpoint
(Public Space)
HA
Tunnel Endpoint
(Public Space)
8/10/2019 Secure Mobile Networks
14/55
Mobile
LAN
10.x.x.x
INTERNET USCG
INTRANET
10.x.x.x
FA - Detroit
FA
Cleveland
HA
Encryption
PROXY
Encryption
802.11b link
FIREWALL
Public Address
USCG Officers Club
EAST
WEST
Dock
EAST
WEST
Dock
Open Network
Data Transfers
8/10/2019 Secure Mobile Networks
15/55
Mobile
LAN
10.x.x.x
INTERNET USCG
INTRANET
10.x.x.x
FA - Detroit
FA
Cleveland
HA
Encryption
PROXY
Encryption
802.11b link
FIREWALL
Public Address
USCG Officers Club
EAST
WEST
Dock
EAST
WEST
Dock
Encrypted Network
Data Transfers
8/10/2019 Secure Mobile Networks
16/55
Mobile
LAN
10.x.x.x
INTERNET USCG
INTRANET
10.x.x.x
FA - Detroit
FA
Cleveland
HA
Encryption
PROXY
Encryption
802.11b link
FIREWALL
Public Address
Open
Network
Monitoring
Point
Open
Network
Monitoring
PointUSCG Officers Club
EAST
WEST
Dock
EAST
WEST
Dock
Monitoring Points
8/10/2019 Secure Mobile Networks
17/55
Mobile
LAN
10.x.x.x
INTERNET USCG
INTRANET
10.x.x.x
FA - Detroit
FA
Cleveland
HA
Encryption
PROXY
Encryption
802.11b link
FIREWALL
Public Address
USCG Officers Club
EAST
WEST
Dock
EAST
WEST
Dock
Note, We are monitoring
The Neah Bay.
We are using lots of bandwidth
To do this.
8/10/2019 Secure Mobile Networks
18/55
Mobile
LAN
10.x.x.x
INTERNET USCG
INTRANET
10.x.x.x
FA - Detroit
FA
Cleveland
HA
Encryption
PROXY
Encryption
802.11b link
FIREWALL
Public Address
USCG Officers Club
EAST
WEST
Dock
EAST
WEST
Dock
Note, We are monitoring
The Neah Bay.
We are using lots of bandwidth
To do this.
8/10/2019 Secure Mobile Networks
19/55
MobileLAN
10.x.x.x
Encryption
EAST
WEST
Dock
RF Bandwidth
1.0 Mbps (manually set)
1.0 Mbps (manually set)
11.0 Mbps (auto-negotiated and shared with Officers Club)
7 Kbps to 56 Kbps in 7 Kbps chunks (1 to 2.5 seconds delay)
8/10/2019 Secure Mobile Networks
20/55
20
Wireless Only? Wireless can be jammed
Particularly unlicensed spectrum such as
802.11 Satellites is a bit harder
Solution is to find interferer and make
them stop.You still want land line connections
Mobile Routing can be used over land lines.
8/10/2019 Secure Mobile Networks
21/55
21
Globalstar/Sea Tel MCM-8 Initial market addresses maritime and
pleasure boaters.
Client / Server architecture Current implementation requires call to be initiated
by client (ship).
Multiplexes eight channels to obtain 56 kbps total
data throughput. Full bandwidth-on-demand.
Requires use of Collocated Care-of-Address
8/10/2019 Secure Mobile Networks
22/55
22
Satellite Coverage
Globalstar
From SaVi
INMARSAT
8/10/2019 Secure Mobile Networks
23/55
23
Layer 2 Technology
Globalstar
MCM-8
Hypergain802.11b
Flat Panel
8 dBi
Dipole
L3-Comm
15 dBic
Tracking Antenna
Sea Tel TrackingAntenna
8/10/2019 Secure Mobile Networks
24/55
Backbone Network Topology
Detail Network Diagram
(Intentionally Blank)
8/10/2019 Secure Mobile Networks
25/55
Neah Bay Network Topology
Detail Network Diagram
(Intentionally Blank)
8/10/2019 Secure Mobile Networks
26/55
USCG Officers Club Network Topology
Detail Network Diagram
(Intentionally Blank)
8/10/2019 Secure Mobile Networks
27/55
27
Securing Mobile and WirelessNetworks
Some ways may be better
than others!
8/10/2019 Secure Mobile Networks
28/55
28
Constraints / Tools Policy
Architecture
Protocols
8/10/2019 Secure Mobile Networks
29/55
29
Public
Internet
FA
MR
US Coast Guard
Mobile Network
HA
US Coast Guard
Operational Network
(Private Address Space)
CNIPv4 Utopian Operation
Triangular Routing
8/10/2019 Secure Mobile Networks
30/55
30
Public
Internet
FA
MR
US Coast Guard
Mobile Network
HA
US Coast Guard
Operational Network
(Private Address Space)
CNIPv4 Real World Operation
PROXy
Proxy had not originated therequest; therefore, theresponse is squelched.Peer-to-peer networkingbecomes problematic at best.
Glenn Research Center Policy:No UDP, No IPSec, etcMobile-IP stopped in its tracks.Whats your policy?
Ingress or Egress Filtering stopsTransmission due to topologicallyIncorrect source address. IPv6
Corrects this problem.
USCG Requires 3DES encryption.WEP is not acceptable due toknown deficiencies.
8/10/2019 Secure Mobile Networks
31/55
31
Public
Internet
FA
MR
US Coast Guard
Mobile Network
HA
US Coast Guard
Operational Network
(Private Address Space)
CN
Current Solution
Reverse Tunneling
PROXy
Anticipate similar problems forIPv6.
Adds Overheadand kills route
optimization.
8/10/2019 Secure Mobile Networks
32/55
32
Public
Internet
FA
FA
MR
MR
MR
US Coast Guard
Canadian Coast Guard ACME Shipping
HA
HA
HA
HA
ACME
SHIPPING
M
R
US Navy
Shared Network Infrastructure
Encrypting wireless linksmakes it very difficult toshare infrastructure.
This is a policy issue.
8/10/2019 Secure Mobile Networks
33/55
Security
Security Bandwidth Utilization Security Performance Tunnels Tunnels Tunnels and more Tunnels Performance Security
User turns OFF Security to make system usable!
Thus, we need more bandwidth to ensure security.
PAYLOADHEADER
ORIGINAL PACKET
HEADER
VIRTUAL PRIVATE NETWORK
HEADER
ENCRYPTION AT THE NETWORK LAYER
HEADER
ENCRYPTION ON THE RF LINK
8/10/2019 Secure Mobile Networks
34/55
34
Additional and Future
Security SolutionsAAA
Routers (available today)
Wireless bridges and access points(available 2002)
IPSec on router interface
Encrypted radio links IPSec, type1 or type2, and future improved
WEP
8/10/2019 Secure Mobile Networks
35/55
35
Conclusions Security Breaks Everything
At least it sometimes feels like that.
Need to change policy where appropriate. Need to develop good architectures that
consider how the wireless systems and protocolsoperate.
Possible solutions that should be investigated:
Dynamic, Protocol aware firewalls and proxies.
Possibly incorporated with Authentication and Authorization.
8/10/2019 Secure Mobile Networks
36/55
36
Moblile-IP Operation
IPv4
M bil IP (IP 4)
8/10/2019 Secure Mobile Networks
37/55
Mobile Node
Foreign AgentForeign Agent
Home Agent
139.88.111.1
143.232.48.1
NASA Ames
Corresponding Node
Internet or Intranet
139.88.112.1
NASA Glenn
143.232.48.1
Home IP
128.183.13.103
Care-Off-Address
139.88.111.50
128.183.13.1
NASA Goddard
Mobile-IP (IPv4)
M bil R t (IP 4)
8/10/2019 Secure Mobile Networks
38/55
Mobile Router(Mobile Node)
Foreign Agent
Home Agent
Corresponding Node
139.88.112.1
Internet WAN
Tunnel-0
10.2.3.101
128.183.13.1
Internet WAN
Internet
10.2.2.1Roaming
Interface
10.2.3.1
Virtual LAN
Interface
Tunnel-1
128.184.25.1
HA Loopback
Virtual Interface
139.88.100.1
FA WAN
10.2.4.10
MR Loopback
Virtual Interface
COA 139.88.100.1
Mobile-Router (IPv4)
Mobile Router
8/10/2019 Secure Mobile Networks
39/55
Mobile Router(Mobile Node)
Home Agent
Corresponding Node
139.88.112.1
Internet WAN
Tunnel-0
10.2.3.101
128.183.13.1
Internet WAN
10.2.2.1Roaming
Interface
10.2.3.1
Virtual LAN
Interface
Foreign Agent
Tunnel-1
128.184.25.1
HA Loopback
Virtual Interface
139.88.100.1
FA WAN
10.2.4.10
MR Loopback
Virtual Interface
COA 139.88.100.1
Mobile-Router (IPv4)
Collocated Care-Of-Address
Internet No Foreign Agent
No Second Tunnel
8/10/2019 Secure Mobile Networks
40/55
Mobile Router(Mobile Node)
Home Agent
Corresponding Node
139.88.112.1
Internet WAN
Tunnel-0
10.2.3.101
128.183.13.1
Internet WAN
Internet
10.2.2.1Roaming
Interface
10.2.3.1
Virtual LAN
Interface
128.184.25.1
HA Loopback
Virtual Interface
139.88.100.1
10.2.4.10
MR Loopback
Virtual Interface
COA 139.88.100.1
Mobile-Router (IPv4)
Collocated Care-Of-Address
8/10/2019 Secure Mobile Networks
41/55
41
Whats Next
The End Game
8/10/2019 Secure Mobile Networks
42/55
42
Mobile Networks Share Network Infrastructure
USCG, Canadian Coast Guard, CommercialShipping, Pleasure Boaters
Open Radio Access / Restricted Network Access Authentication, Authorization and Accounting
Architecture Limited, experimental deployment onboard Neah
Bay Move RIPv2 routing from Fed. Bldg to Neah Bay
Move to full scale deployment Requires full commitment
8/10/2019 Secure Mobile Networks
43/55
MR
Public
Mobile
LAN
10.x.x.x
INTERNET
INTRANET
10.x.x.x
FACleveland
Public
HA
Public
PIX- 506until we install our PIX FW
Then we should not need the baby
PIX.
PROXY
PIX-506
802.11b link
FA - Detroit
8/10/2019 Secure Mobile Networks
44/55
8/10/2019 Secure Mobile Networks
45/55
45
Areas that need to be
addressed Home Agent Placement
Inside or Outside the Firewall
AAA Issues Open Radio Access / Restricted Network Access
Secure Key Management
IPv6 Mobile Networking Development
Work with industry and IETF Develop radio link technology
Enable better connectivity throughout the worldfor both military and aeronautical communications
(voice, video and data).
8/10/2019 Secure Mobile Networks
46/55
46
NASAs Needs
Mobile Networks
8/10/2019 Secure Mobile Networks
47/55
47
Relevant NASA Aeronautics
ProgramsAdvanced Air Transportation
Technology (AATT)
Weather Information Communication(WINCOMM)
Small Aircraft Transportation System
(SATS)
8/10/2019 Secure Mobile Networks
48/55
48
Aeronautic Networking Issues Move to IPv6
IPv6 Mobile Networking
Authentication, Authorization andAccounting
Bandwidth, Bandwidth, Bandwidth
Media Access Policy
Sending of Operations over EntertainmentChannels
8/10/2019 Secure Mobile Networks
49/55
Earth Observation
T1
T2
?
T3
8/10/2019 Secure Mobile Networks
50/55
8/10/2019 Secure Mobile Networks
51/55
51
Space Flight Implementation Sharing Infrastructure
Common Media Access
Common Ground Terminal Capabilites
Common Network Access
AAA
Common Modulation and Coding Software Radio
8/10/2019 Secure Mobile Networks
52/55
Backup
8/10/2019 Secure Mobile Networks
53/55
53
Asymmetrical Pathing
Mobile Router
MilStar,
Globalstar,
Others
DVB
Satellite
Internet
Home Agent
Foreign AgentForeign Agent
8/10/2019 Secure Mobile Networks
54/55
54
Neah Bay
8/10/2019 Secure Mobile Networks
55/55
Papers and Presentationshttp://roland.grc.nasa.gov/~ivancic/papers_presentations/papers.html
or
http://roland.grc.nasa.gov/~ivancic/
and pickPapers and Presentations