Securing Mobile Networks in an Operational Setting

1
Securing Mobile Networks in an Operational Setting

• Will Ivancic
• wivancic_at_grc.nasa.gov
• (216) 433-3494

2
Outline

• Security Considerations
• Neah Bay Project
• Cost of Connectivity
• NASAs Mobile Network Needs

3
Security Considerations
4
Securing Networks

• Constraints/Tools
• Policy
• Security Policy
• Education
• Enforcement
• Architecture
• Protocols
• Must be done up front to be done well

5
IPv4 Utopian Operation
CN
US Coast Guard Operational Network (Private
Address Space)
Public Internet
US Coast Guard Mobile Network
HA
Triangular Routing
FA
MR
6
IPv4 Real World Operation
CN
US Coast Guard Operational Network (Private
Address Space)
Public Internet
P R O X y
US Coast Guard Mobile Network
HA
FA
MR
7
Current Solution Reverse Tunneling
CN
Adds Overhead and kills route optimization.
US Coast Guard Operational Network (Private
Address Space)
Public Internet
P R O X y
US Coast Guard Mobile Network
HA
FA
Anticipate similar problems for IPv6.
MR
8
Security

• Security ? Bandwidth Utilization ?
• Security ? Performance ?
• Tunnels Tunnels Tunnels and more Tunnels
• Performance ? Security ?
• ? User turns OFF Security to make system usable!
• Thus, we need more bandwidth to ensure security.

9
Conclusions Regarding Security

• Security Breaks Everything ?
• At least it sometimes feels like that.
• The Ultimate Denial of Service Attack D.S.
• Need to change policy where appropriate.
• Need to develop good architectures that consider
  how the wireless systems and protocols operate.
• Possible solutions that should be investigated
• Dynamic, protocol-aware firewalls and proxies.
• Possibly incorporated with Authentication and
  Authorization.

10
Neah Bay / Mobile Router Project
11
Neah Bay / Mobile Router Project
12
Why NASA/USCG/Industry

• Real world deployment issues can only be
  addressed in an operational network.
• USCG has immediate needs, therefore willingness
  to work the problem.
• USCG has military network requirements.
• USCG is large enough network to force us to
  investigate full scale deployment issues
• USCG is small enough to work with.
• NASA has same network issues regarding mobility,
  security, network management and scalability.

13
Mobile-Router Advantages

• Share wireless and network resources with other
  organizations
• savings
• Set and forget
• No onsite expertise required
• However, you still have to engineer the network
• Continuous Connectivity
• (May or may not be important to your
  organization)
• Robust
• Secondary Home Agent (Dynamic HA)

14
Mobile Network Design Goals

• Secure
• Scalable
• Manageable
• Ability to sharing network infrastructure
• Robust

15
Shared Network Infrastructure
16
Secondary Home Agent(Dynamic HA)
Primary Home Agent
Reparenting Home Agent Helps resolve triangular
routing Problem over long distances
17
Emergency Backup(Hub / Spoke Network)
18
Secondary Home Agent(Fully Meshed Network)
3
5
1
2
4
19
We Are Running with Reverse Tunneling

• Pros
• Ensures topologically correct addresses on
  foreign networks
• Required as requests from MR LAN hosts must pass
  through Proxy inside main firewall
• Greatly simplifies setup and management of
  security associations in encryptors
• Greatly simplifies multicast HA makes for an
  excellent rendezvous point.
• Mobile Router does NOT have to be in public
  address space so long as the Collocated
  Care-of-Address is.
• Cons
• Uses additional bandwidth
• Destroys route optimization

20
GlobalStar Network (NATing from Public to Private)
Internet
Satellite Antenna System
APKnet DSL / with Subnet
Encr
VOIP
Globalstar link uses Collocated COA
HA
HA (Loopback has Public Address)
Neah Bay (Protected LAN)
USCG Intranet
VOIP
Encr
MR (Loopback has Public Address)
FA - CLEVELAND
Ameritech DSL / with Subnet
FA - DETROIT
Open Internet to HA
Public Address
21
Encrypted Network Data Transfers
Dock
Encryption
Mobile LAN 10.x.x.x
EAST
WEST
INTERNET
FIREWALL
FA - Detroit
Encryption
EAST
WEST
HA
Dock
FA Cleveland
802.11b link
Public Address
USCG Officers Club
22
Use and Deployments

• 1st Demonstrated August 23 November 6, 2002
• Used in operational setting July Sept 2003
• New York and Boston Harbor
• NY had no land line
• Boston land line was poor switched to satellite
• Used Oct Nov 2003 at shipyard during
  maintenance
• 802.11b at 11 Mbps

23
Operational System Home Agent is
incorporated with the firewall and proxy
PIX-506
Mobile LAN 10.x.x.x
MR Public
PROXY
FA Cleveland Private
FA - Detroit
HA Public
802.11b link
With Acceptable Encryption
24
(No Transcript)
25
Maintaining Two Networks (Routing over Layer-3
Encryptors)
Fed Bldg Router
Mobile Router
HA
Private Leased Line
ICMP Router Discovery
Dockside Router
MR
Umbilical Cord (Connected When Docked)
RIPv2
Foreign Agent
Neah Bay LAN
26
Globalstar/Sea Tel MCM-8

• Initial market addresses maritime and pleasure
  boaters.
• Client / Server architecture a common
  architecture
• Current implementation requires call to be
  initiated by client (ship).
• Multiplexes eight channels to obtain 56 kbps
  total data throughput.
• Full bandwidth-on-demand.
• Requires use of Collocated Care-of-Address

27
Satellite Coverage
Globalstar
INMARSAT
From SaVi
28
Link Performance Considerations
128 kbps
29
Cost of Connectivity (Examples)
30
Deployment issues (mobile)

• Equipment Costs
• Service Cost
• Network Peculiarities
• Network Address Translators
• Performance Enhancing Proxies
• Security Mechanisms
• Packet Filtering
• Connection Mechanisms
• Smart Card Authentication
• MAC and/or Static Key
• (manual login is unacceptable)

31
NASAs Mobile Network Needs

• Space-based systems
• Aeronautics (in partnership with FAA)
• Weather Dissemination
• Air Traffic Management
• Free Flight
• Terrestrial (surface) Systems
• Rovers
• Astronauts

32
Earth Observation
33
Sensor Web
34
Pick Papers and Presentations at
http//roland.grc.nasa.gov/ivancic/

• Neah Bay

35
Backup Slides
36
Networks in Motion (NEMO) Experiments

• IPv4
• IPv6

37
(No Transcript)
38
(No Transcript)
39
Mobile Router
Corresponding Public Node
Secure Mobile LAN
Home Agent
Corresponding Private Node
40
Mobile Router
Corresponding Public Node
Secure Mobile LAN
Home Agent
Corresponding Private Node
41
Corresponding Public Node
Home Agent
Corresponding Private Node
Mobile Router
Secure Mobile LAN
42
Corresponding Public Node
Home Agent
Corresponding Private Node
Mobile Router
Secure Mobile LAN
43
Corresponding Public Node
Home Agent
Corresponding Private Node
Mobile Router
Secure Mobile LAN
44
Ouch!
Mobile Router
Foreign Agent
45
(No Transcript)
46
(No Transcript)
47
Layer 2 Technology
Globalstar MCM-8
L3-Comm 15 dBic Tracking Antenna
Hypergain 802.11b Flat Panel
8 dBi Dipole
Sea Tel Tracking Antenna
48
Encryption
Mobile LAN 10.x.x.x
INTERNET
FIREWALL
FA - Detroit
Encryption
HA
FA Cleveland
802.11b link
Public Address
49
Open Network Data Transfers
Dock
Encryption
Mobile LAN 10.x.x.x
EAST
WEST
INTERNET
FIREWALL
FA - Detroit
Dock
Encryption
EAST
WEST
HA
FA Cleveland
802.11b link
Public Address
USCG Officers Club
50
RF Bandwidth
7 Kbps to 56 Kbps in 7 Kbps chunks (1 to 2.5
seconds delay)
Dock
11.0 Mbps (auto-negotiated and shared with
Officers Club)
Encryption
Mobile LAN 10.x.x.x
EAST
1.0 Mbps (manually set)
1.0 Mbps (manually set)
WEST
51
Wireless Only?

• Wireless can be jammed (intentionally or
  unintentionally)
• Particularly unlicensed spectrum such as 802.11
• Satellites is a bit harder
• Solution is to find interferer and make them
  stop.
• You may still want land line connections
• Mobile Routing can be used over land lines.