Glenn Research Center Satellite Networks & Architectures Branch Communications Technology Division I-CNS Workshop April/May, 2002 1 Securing Mobile and.

Slides:



Advertisements
Similar presentations
Secure Mobile IP Communication
Advertisements

Mobile IP Outline Intro to mobile IP Operation Problems with mobility.
Transitioning to IPv6 April 15,2005 Presented By: Richard Moore PBS Enterprise Technology.
© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 W. Schulte Chapter 5: Network Address Translation for IPv4  Connecting.
© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Lecture15: Network Address Translation for IPv4 Connecting Networks.
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Addressing the Network – IPv4 Network Fundamentals – Chapter 6.
IUT– Network Security Course 1 Network Security Firewalls.
Information Security 1 Information Security: Security Tools Jeffy Mwakalinga.
1 Mobile IP Myungchul Kim Tel:
Information System Security AABFS-Jordan Summer 2006 IP Security Supervisor :Dr. Lo'ai Ali Tawalbeh Done by: Wa’el Musa Hadi.
1 Network Architecture and Design Advanced Issues in Internet Protocol (IP) IPv4 Network Address Translation (NAT) IPV6 IP Security (IPsec) Mobile IP IP.
IPsec: Internet Protocol Security Chong, Luon, Prins, Trotter.
Network Security Topologies Chapter 11. Learning Objectives Explain network perimeter’s importance to an organization’s security policies Identify place.
Internet Protocol Security An Overview of IPSec. Outline:  What Security Problem?  Understanding TCP/IP.  Security at What Level?  IP Security. 
1 Securing Mobile Networks An Enabling Technology for National and International Security and Beyond.
K. Salah 1 Chapter 31 Security in the Internet. K. Salah 2 Figure 31.5 Position of TLS Transport Layer Security (TLS) was designed to provide security.
Secure communications Week 10 – Lecture 2. To summarise yesterday Security is a system issue Technology and security specialists are part of the system.
Security Awareness: Applying Practical Security in Your World
COS 420 Day 20. Agenda Group Project Discussion Protocol Definition Due April 12 Paperwork Due April 29 Assignment 3 Due Assignment 4 is posted Last Assignment.
Chapter 6 IP Security. Outline Internetworking and Internet Protocols (Appendix 6A) IP Security Overview IP Security Architecture Authentication Header.
Internet Protocol Security (IPSec)
1 Lecture 20: Firewalls motivation ingredients –packet filters –application gateways –bastion hosts and DMZ example firewall design using firewalls – virtual.
1 © J. Liebeherr, All rights reserved Virtual Private Networks.
Virtual Private Network
© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Chapter 7: Securing Site-to-Site Connectivity Connecting Networks.
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Addressing the Network – IPv4 Network Fundamentals – Chapter 6.
CECS 5460 – Assignment 3 Stacey VanderHeiden Güney.
Mobile IP Traversal Of NAT Devices By, Vivek Nemarugommula.
Host Mobility for IP Networks CSCI 6704 Group Presentation presented by Ye Liang, ChongZhi Wang, XueHai Wang March 13, 2004.
CHAPTER 2 PCs on the Internet Suraya Alias. The TCP/IP Suite of Protocols Internet applications – client/server applications The client requested data.
© 2006 Cisco Systems, Inc. All rights reserved.Cisco PublicITE I Chapter 6 1 Implementing IP Addressing Services Accessing the WAN – Chapter 7.
Remote Access Chapter 4. Learning Objectives Understand implications of IEEE 802.1x and how it is used Understand VPN technology and its uses for securing.
1 Mobile Networking As Applied to Any Mobile Network Including Aeronautical Internets Airborne Internet Collaboration Group meeting April 17, 2003 Will.
1 Chapter 8 Copyright 2003 Prentice-Hall Cryptographic Systems: SSL/TLS, VPNs, and Kerberos.
Cosc 4765 SSL/TLS and VPN. SSL and TLS We can apply this generally, but also from a prospective of web services. Multi-layered: –S-http (secure http),
Practical Considerations for Securely Deploying Mobility Will Ivancic NASA Glenn Research Center (216)
VIRTUAL PRIVATE NETWORK By: Tammy Be Khoa Kieu Stephen Tran Michael Tse.
1 Mobile Networking Including Application to Aeronautical Internets ICNS Conference May 20, 2003 Will Ivancic –
Karlstad University IP security Ge Zhang
11 SECURING NETWORK COMMUNICATION Chapter 9. Chapter 9: SECURING NETWORK COMMUNICATION2 OVERVIEW  List the major threats to network communications. 
1 Mobile-IP Priority Home Agents for Aerospace and Military Applications Terry Bell, Will Ivancic, Dave Stewart, Dan Shell and Phil Paulsen.
Page 1 Unclassified _NB_Next Steps.ppt Phillip E. Paulsen Space Communications Office NASA Glenn Research Center (GRC) Cleveland, Ohio 6 November.
Security, NATs and Firewalls Ingate Systems. Basics of SIP Security.
Mobile IP Outline Intro to mobile IP Operation Problems with mobility.
Chapter 13 The Internet.
1 Securing Mobile and Wireless Networks Is It Possible?
An Analysis of IPv6 Security CmpE-209: Team Research Paper Presentation CmpE-209 / Spring Presented by: Dedicated Instructor: Hiteshkumar Thakker.
© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Chapter 11: Network Address Translation for IPv4 Routing And Switching.
1 Securing Mobile Networks in an Operational Setting Will Ivancic (216)
Santhosh Rajathayalan ( ) Senthil Kumar Sevugan ( )
1 © 1999, Cisco Systems, Inc. Mobile Router Technology Development Dan Shell - Cisco Will Ivancic - NASA Glenn.
1. Mobile Router Networks in Motion (tm) 2. Mobile Router Features Uses Internet standards-bases Mobile-IP technology - RFC 2002 Mobile Router allows.
Glenn Research Center Satellite Networks & Architectures Branch Communications Technology Division IEEE Aerospace Conference March Architecture.
ITP 457 Network Security Networking Technologies III IP, Subnets & NAT.
1 Mobile Router Technology Development David Stewart, Will Ivancic, Dan Shell, Kent Leung, Brian Kachmar and Terry Bell.
Network Layer Security Network Systems Security Mort Anvari.
K. Salah1 Security Protocols in the Internet IPSec.
Lecture 10 Page 1 CS 236 Online Encryption and Network Security Cryptography is widely used to protect networks Relies on encryption algorithms and protocols.
Mobile IP THE 12 TH MEETING. Mobile IP  Incorporation of mobile users in the network.  Cellular system (e.g., GSM) started with mobility in mind. 
LESSON Networking Fundamentals Understand IPv4.
Virtual Private Networks
Network Virtualization
Securing Mobile Networks
Firewalls Routers, Switches, Hubs VPNs
Virtual Private Networks (VPNs)
Mobile Router Technology Development
Practical Considerations for Securely Deploying Mobility
Mobile IP Outline Homework #4 Solutions Intro to mobile IP Operation
Mobile IP Outline Intro to mobile IP Operation Problems with mobility.
Mobile IP Outline Intro to mobile IP Operation Problems with mobility.
Presentation transcript:

Glenn Research Center Satellite Networks & Architectures Branch Communications Technology Division I-CNS Workshop April/May, Securing Mobile and Wireless Networks Will Ivancic

Glenn Research Center Satellite Networks & Architectures Branch Communications Technology Division I-CNS Workshop April/May, Outline Network Security, What is it? Security Truths Mobile and Wireless Networks Issues / Challenges USCG/NASA/Cisco Neah Bay Project Military Scenarios Conclusions

Glenn Research Center Satellite Networks & Architectures Branch Communications Technology Division I-CNS Workshop April/May, Network Security – What is it? !!! Policy !!! Encryption AAA (Authentication, Authorization and Accounting) Architecture Confidentiality Prevention, Detection and Correction

Glenn Research Center Satellite Networks & Architectures Branch Communications Technology Division I-CNS Workshop April/May, Security Truths 1.Security is necessary 2.Security is painful - At least to date it is 3.Security breaks everything - Well, enough things so that it appears to break everything - Lots of ingenuity required to make things work New IETF End-to-End concept/reality is application-to-application rather than to machine-to-machine  due to middleware.

Glenn Research Center Satellite Networks & Architectures Branch Communications Technology Division I-CNS Workshop April/May, Security Truths Security  Bandwidth Utilization  Security  Performance  Tunnels Tunnels Tunnels and more Tunnels Performance  Security   User turns OFF Security to make system usable! Thus, we need more bandwidth to ensure security. PAYLOADHEADER ORIGINAL PACKET HEADER VIRTUAL PRIVATE NETWORK HEADER ENCRYPTION AT THE NETWORK LAYER HEADER ENCRYPTION ON THE RF LINK

Glenn Research Center Satellite Networks & Architectures Branch Communications Technology Division I-CNS Workshop April/May, Mobile and Wireless Networks What Do We Mean?

Glenn Research Center Satellite Networks & Architectures Branch Communications Technology Division I-CNS Workshop April/May, Entire Networks in Motion - Mobile Router (One View)

Glenn Research Center Satellite Networks & Architectures Branch Communications Technology Division I-CNS Workshop April/May, Mobile Network (Another View) Mobile users rather than mobile networks VPNs Dial-In Wireless LANs DHCP  This is what the corporate user of the airborne Internet “sees” as mobility  This is the cabin environment

Glenn Research Center Satellite Networks & Architectures Branch Communications Technology Division I-CNS Workshop April/May, Issues and Challenges

Public Internet FA MR US Coast Guard Canadian Coast Guard ACME Shipping HA ACME SHIPPING MR US Navy Shared Infrastructure If I run encryption on the wireless links, it will be very difficult to share infrastructure – Policy and Architecture

Glenn Research Center Satellite Networks & Architectures Branch Communications Technology Division I-CNS Workshop April/May, Asymmetrical Pathing Mobile Router MilStar, Globalstar, Others DVB Satellite Internet Home AgentForeign Agent Bi-directional links are often assumed. Unidirectional links can be problematic for encryption and AAA.

Glenn Research Center Satellite Networks & Architectures Branch Communications Technology Division I-CNS Workshop April/May, Reparenting the HA in Mobile-IP Primary Home Agent Secondary Home Agent Reparenting Home Agent Helps resolve triangular routing Problem over long distances X Encryption associations break when handing off between networks 

Glenn Research Center Satellite Networks & Architectures Branch Communications Technology Division I-CNS Workshop April/May, Key Distribution Painful Difficult Needs to be worked to be more manageable and scalable Problem grows as network grows Sharing infrastructure makes the problem more difficult Military key distribution is even worse Fortunately, this problems is being addressed by industry

Glenn Research Center Satellite Networks & Architectures Branch Communications Technology Division I-CNS Workshop April/May, Middleware Firewalls Network Address Translators (NATs) Performance Enhancing Proxies Load Sharing Devices Traffic Shapers Web Accelerators Transparent Proxies Normalizers

Glenn Research Center Satellite Networks & Architectures Branch Communications Technology Division I-CNS Workshop April/May, Middleware Middleware is a reality and it doesn’t appear to be going away. Rather its use is increasing – particularly with regard to network security This patchwork of "goop" we’re putting in the network may be degrading the performance of the network. It is defiantly degrading our ability to figure out what is wrong with the network. We need to consider how the architecture should be changed to meet some of the challenges the network faces today that were not issues when the original vision was developed. –Deep thinking on architectural principles for the new millennium.

Glenn Research Center Satellite Networks & Architectures Branch Communications Technology Division I-CNS Workshop April/May, Example #1 GRC personnel ran what appeared to be a complete successful transaction from inside the GRC firewall to a machine at BBN that was outside the GRC firewall. –Problem was that the BBN machine had been turned off for six months! –GRC proxy spoofed the transaction. So you thought you sold you ENRON shares before it tanked, but you were wrong – only, you didn’t know it until it was to late. Or, you thought you sent a successful command to the aircraft, but you were wrong  –The Network Researchers say something is wrong, it is broken. –The Security Implementers say that is the way it is suppose to work.

Glenn Research Center Satellite Networks & Architectures Branch Communications Technology Division I-CNS Workshop April/May, Example #2 Mobile-IP using IPv4 –GRC firewall blocks UDP traffic Need to open UDP port 436 –Security Issue (Policy) –Triangular routing squashed at GRC proxy/NAT Responses to transactions that originated outside the firewall are blocked by the proxy/NAT which is holding state. –Proxy never saw transaction initiated from within GRC network, so response to the transaction is blocked. –Reverse tunneling solves problem, at a cost of increased overhead and time delay Home Network Foreign Agent Router ProxyProxy Internet Corresponding Node Mobile Unit

Glenn Research Center Satellite Networks & Architectures Branch Communications Technology Division I-CNS Workshop April/May, Middleware and Encryption Encryption renders most (if not all) Performance Enhancing Proxies (PEPs) useless relative to the encrypted flow. Many types of encryption make QoS engineering problematic –Protocol header bits hidden (IP in IP) –TOS header bits may be hidden

Neah Bay / Mobile Router Project Clevelan d Detroit Foreign-Agent Somewhere, USA Foreign-Agent Home-Agent Anywhere, USA Internet Neah Bay Outside of wireless LAN range, connected to FA via Inmarsat. Neah Bay Connected to FA via wireless LAN at Cleveland harbor

Glenn Research Center Satellite Networks & Architectures Branch Communications Technology Division I-CNS Workshop April/May, Security Issues Being Addressed Shared Infrastructure Wireless LAN Security –Advancements to WEP Mixed Address Space –NATs and Proxies Low Rate Links Satellite Links Performance over multiple tunnels Manageable and Scaleable Architecture

Internet WB Satellite FA MR FA - CLEVELAND HA FA - DETROIT IPSec tunneled link from open Internet to HA Satellite Antenna System VOIP Taclane SW Interim Solution – HA Directly connected to Internet via DSL WB Tachyon FA – Pelee Island? USCG Intranet DSL ISP Satellite ISP DSL / with Subnet ? GlobalStar or INMARSAT HA (Loopback has Public Address) Public Address Wireless Encryption RF Encryption Layer-3 Network Encryption Type 1 Encryption

MR Public Mobile LAN 10.x.x.x INTERNET INTRANET 10.x.x.x FA – Cleveland Public HA Public PIX- 506 – until we install our PIX FW Then we should not need the baby PIX. PROXY/NAT PIX b link FA - Detroit

Glenn Research Center Satellite Networks & Architectures Branch Communications Technology Division I-CNS Workshop April/May, Protect the MR LAN Firewall between MR LAN and MR as well as HA and Private Intranet Tunnels necessary between FAs on Internet and Firewall to provide connection of private address space over public Internet. Reverse tunneling required as requests from MR LAN hosts must pass through Proxy inside main firewall.

Glenn Research Center Satellite Networks & Architectures Branch Communications Technology Division I-CNS Workshop April/May, HA Outside/Collocated with Main Firewall Firewall between MR interfaces and public Internet as well as FA interfaces connecting to the private Intranet and the HA and Private Intranet. Multiple VPNs required. One for each possible interface combination. Tunnels necessary between FAs on Internet and Firewall to provide connection of private address space over public Internet. Reverse tunneling required as requests from MR LAN hosts must pass through Proxy inside main firewall. VPNs take care of this.

Military Applications Battle Group C Battle Group B AWACSUAV Intelligence Control Center Artillery Support Group Battle Group Command Center (BGCC) Tactical data forwarded from surveillance satellites to the BGCC. Communications link between BGCC and the Field Command Posts Foreign-Agent deployed in UAV Foreign-Agent deployed in UAV Battle Group A Mobile-Router deployed in Armored Field Units. Mobile-Router deployed in Airborne Support Units. Mobile-Router deployed in Field Units. Mobile-Router deployed in Field Artillery Units. Foreign-Agent deployed in Tracked Command Post Carrier. Foreign-Agent deployed in Mobile Command Post. Foreign-Agent deployed in Mobile Command Post. Home-Agent deployed in BGCC

Glenn Research Center Satellite Networks & Architectures Branch Communications Technology Division I-CNS Workshop April/May, ATN Security Notes Encryption –Still under development –Asymmetric Cryptography (Public/Private Keys) Session Specify Secret Key (variant of Diffie-Hellman) Message Authentication –HMAC, IETF RFC 2104 –Hash Function(Secure Hash Algorithm Revision One NIST) Authentication –Digital Signature (elliptic curve variant of Digital Signature Algorithm) –Hash Function –Asymmetric Enciphered (private key) –Certificate Authority –Cross-certificates

Glenn Research Center Satellite Networks & Architectures Branch Communications Technology Division I-CNS Workshop April/May, Example of Cryptographic Services Can CPDLC bandwidth handle encryption and AAA?

Glenn Research Center Satellite Networks & Architectures Branch Communications Technology Division I-CNS Workshop April/May, Example of Certificate Environment

Glenn Research Center Satellite Networks & Architectures Branch Communications Technology Division I-CNS Workshop April/May, Conclusions Security is necessary, albeit often painful Key distribution and AAA methods need to be developed that ease the deployment We need to be aware of middleware Increased security requires increased bandwidth and connectivity A mobile networks means different things to different people –Mobile user –Entire networks in motion To much security may result in less security –Security bypassed for the sake of performance!