Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 Securing Mobile Networks in an Operational Setting Will Ivancic (216) 433-3494.

Published byRafe Carson Modified over 9 years ago

Similar presentations

Presentation on theme: "1 Securing Mobile Networks in an Operational Setting Will Ivancic (216) 433-3494."— Presentation transcript:

1 1 Securing Mobile Networks in an Operational Setting Will Ivancic wivancic@grc.nasa.gov (216) 433-3494

2 2 Outline Security Considerations Neah Bay Project Cost of Connectivity NASA’s Mobile Network Needs

3 3 Security Considerations

4 4 Securing Networks Constraints/Tools Policy Security Policy Education Enforcement Architecture Protocols Must be done up front to be done well

5 5 Public Internet FA MR US Coast Guard Mobile Network HA US Coast Guard Operational Network (Private Address Space) CN IPv4 Utopian Operation Triangular Routing

6 6 Public Internet FA MR US Coast Guard Mobile Network HA US Coast Guard Operational Network (Private Address Space) CN IPv4 “Real World” Operation PROXyPROXy Proxy had not originated the request; therefore, the response is squelched. Peer-to-peer networking becomes problematic at best. Glenn Research Center Policy: No UDP, No IPSec, etc… Mobile-IP stopped in its tracks. What’s your policy? Ingress or Egress Filtering stops Transmission due to topologically Incorrect source address. IPv6 Corrects this problem. USCG Requires 3DES encryption. WEP is not acceptable due to known deficiencies.

7 7 Public Internet FA MR US Coast Guard Mobile Network HA US Coast Guard Operational Network (Private Address Space) CN Current Solution – Reverse Tunneling PROXyPROXy Anticipate similar problems for IPv6. Adds Overhead and kills route optimization.

8 Security Security  Bandwidth Utilization  Security  Performance  Tunnels Tunnels Tunnels and more Tunnels Performance  Security   User turns OFF Security to make system usable! Thus, we need more bandwidth to ensure security. PAYLOADHEADER ORIGINAL PACKET HEADER VIRTUAL PRIVATE NETWORK HEADER ENCRYPTION AT THE NETWORK LAYER HEADER ENCRYPTION ON THE RF LINK

9 9 Conclusions Regarding Security Security Breaks Everything  At least it sometimes feels like that. “The Ultimate Denial of Service Attack” – D.S. Need to change policy where appropriate. Need to develop good architectures that consider how the wireless systems and protocols operate. Possible solutions that should be investigated: Dynamic, protocol-aware firewalls and proxies. Possibly incorporated with Authentication and Authorization.

10 10 Neah Bay / Mobile Router Project

11 Cleveland Detroit Foreign-Agent Globalstar G/T Smiths Falls, Canada Foreign-Agent Home-Agent Anywhere, USA Internet Neah Bay Outside of wireless LAN range, connected via Globalstar using Collocated Care-of-Address. Neah Bay Connected to FA via wireless LAN at Cleveland harbor

12 12 Why NASA/USCG/Industry Real world deployment issues can only be addressed in an operational network. USCG has immediate needs, therefore willingness to work the problem. USCG has military network requirements. USCG is large enough network to force us to investigate full scale deployment issues USCG is small enough to work with. NASA has same network issues regarding mobility, security, network management and scalability.

13 13 Mobile-Router Advantages Share wireless and network resources with other organizations $$$ savings Set and forget No onsite expertise required However, you still have to engineer the network Continuous Connectivity (May or may not be important to your organization) Robust Secondary Home Agent (Dynamic HA)

14 14 Mobile Network Design Goals Secure Scalable Manageable Ability to sharing network infrastructure Robust

15 15 Public Internet FA MR US Coast Guard Canadian Coast Guard ACME Shipping HA ACME SHIPPING MRMR US Navy Shared Network Infrastructure Encrypting wireless links makes it very difficult to share infrastructure. This is a policy issue.

16 16 Secondary Home Agent (Dynamic HA) Primary Home Agent Secondary Home Agent Reparenting Home Agent Helps resolve triangular routing Problem over long distances X

17 17 Emergency Backup (Hub / Spoke Network) If primary control site becomes physically inaccessible but can be electronically connected, a secondary site can be established. If primary control site is physically incapacitated, there is no backup capability.

18 18 Secondary Home Agent (Fully Meshed Network) 1 2 3 4 5 If primary control site is physically incapacitated, a second or third or forth site take over automatically.

19 19 We Are Running with Reverse Tunneling Pros Ensures topologically correct addresses on foreign networks Required as requests from MR LAN hosts must pass through Proxy inside main firewall Greatly simplifies setup and management of security associations in encryptors Greatly simplifies multicast – HA makes for an excellent rendezvous point. Mobile Router does NOT have to be in public address space so long as the Collocated Care-of-Address is. Cons Uses additional bandwidth Destroys route optimization

20 Internet WB Globalstar link uses Collocated COA FA - CLEVELAND HA FA - DETROIT Open Internet to HA Satellite Antenna System VOIP Encr USCG Intranet Ameritech DSL / with Subnet GlobalStar Network (NATing from Public to Private) HA (Loopback has Public Address) Public Address MR (Loopback has Public Address) Neah Bay (Protected LAN) APKnet DSL / with Subnet MR does not have to be in public address space when using reverse tunneling, However, the FA or CCoA does In order to transition the Internet

21 Mobile LAN 10.x.x.x INTERNET USCG INTRANET 10.x.x.x FA - Detroit FA Cleveland HA Encryption PROXY Encryption 802.11b link FIREWALL Public Address USCG Officer’s Club EAST WEST Dock EAST WEST Dock Encrypted Network Data Transfers

22 22 Use and Deployments 1 st Demonstrated August 23 & November 6, 2002 Used in operational setting July – Sept 2003 New York and Boston Harbor NY had no land line Boston land line was poor – switched to satellite Used Oct – Nov 2003 at shipyard during maintenance 802.11b at 11 Mbps

23 MR Public Mobile LAN 10.x.x.x INTERNET INTRANET 10.x.x.x FA – Cleveland Private HA Public PROXY PIX-506 802.11b link FA - Detroit Operational System Home Agent is incorporated with the firewall and proxy With Acceptable Encryption

24 Goal – Have mobile utilize both Public and Private infrastructure.

25 HA Encryptor Internet Private Leased Line USCG Intranet Encryptor Fed Bldg Router MR Neah Bay LAN Dockside Router Umbilical Cord (Connected When Docked) RIPv2 Maintaining Two Networks (Routing over Layer-3 Encryptors) ENCRYPTOR Mobile Router Foreign Agent ICMP Router Discovery Decrementing TTL in Layer-3 encryptors disables routing protocols.

26 26 Globalstar/Sea Tel MCM-8 Initial market addresses maritime and pleasure boaters. Client / Server architecture – a common architecture Current implementation requires call to be initiated by client (ship). Multiplexes eight channels to obtain 56 kbps total data throughput. Full bandwidth-on-demand. Requires use of Collocated Care-of-Address

27 27 Satellite Coverage Globalstar From SaVi INMARSAT

28 28 Link Performance Considerations 11Mbps 128 kbps 11Mbps

29 29 Cost of Connectivity (Examples)

30 30 Deployment issues (mobile) Equipment Costs Service Cost Network Peculiarities Network Address Translators Performance Enhancing Proxies Security Mechanisms Packet Filtering Connection Mechanisms Smart Card Authentication MAC and/or Static Key (manual login is unacceptable)

31 31 NASA’s Mobile Network Needs Space-based systems Aeronautics (in partnership with FAA) Weather Dissemination Air Traffic Management Free Flight Terrestrial (surface) Systems Rovers Astronauts

32 Earth Observation T1 T2 ? T3

33 Sensor Web

34 34 Pick “Papers and Presentations” at http://roland.grc.nasa.gov/~ivancic/ Neah Bay

35 35 Backup Slides

36 36 Networks in Motion (NEMO) Experiments IPv4 & IPv6

37

38

39 Public Internet Private Intranet PROXY ENCRYPTOR Secure Mobile LAN Mobile Router Corresponding Public Node Corresponding Private Node Home Agent

40 Public Internet Private Intranet PROXY ENCRYPTOR Secure Mobile LAN Mobile Router Corresponding Public Node Corresponding Private Node Home Agent

41 Public Internet Private Intranet PROXY ENCRYPTOR Secure Mobile LAN Mobile Router Corresponding Public Node Corresponding Private Node Home Agent

42 Public Internet Private Intranet PROXY ENCRYPTOR Secure Mobile LAN Mobile Router Corresponding Public Node Corresponding Private Node Home Agent x Proxy blocks Communication Initiated outside the Firewall

43 Public Internet Private Intranet PROXY ENCRYPTOR Secure Mobile LAN Mobile Router Corresponding Public Node Corresponding Private Node Home Agent

44 44 ENCRYPTOR Mobile Router Foreign Agent Ouch!

45 45

46 46

47 47 Layer 2 Technology Globalstar MCM-8 Hypergain 802.11b Flat Panel 8 dBi Dipole L3-Comm 15 dBic Tracking Antenna Sea Tel Tracking Antenna

48 Mobile LAN 10.x.x.x INTERNET USCG INTRANET 10.x.x.x FA - Detroit FA – Cleveland HA Encryption PROXY Encryption 802.11b link FIREWALL Public Address MR Tunnel Endpoint (Public Space) HA Tunnel Endpoint (Public Space) MR does not have to be in public address space when using reverse tunneling, However, the FA or CCoA do.

49 Mobile LAN 10.x.x.x INTERNET USCG INTRANET 10.x.x.x FA - Detroit FA Cleveland HA Encryption PROXY Encryption 802.11b link FIREWALL Public Address USCG Officer’s Club EAST WEST Dock EAST WEST Dock Open Network Data Transfers

50 Mobile LAN 10.x.x.x Encryption EAST WEST Dock RF Bandwidth 1.0 Mbps (manually set) 11.0 Mbps (auto-negotiated and shared with Officer’s Club) 7 Kbps to 56 Kbps in 7 Kbps chunks (1 to 2.5 seconds delay)

51 51 Wireless Only? Wireless can be jammed (intentionally or unintentionally) Particularly unlicensed spectrum such as 802.11 Satellites is a bit harder Solution is to find interferer and make them stop. You may still want land line connections Mobile Routing can be used over land lines.

Download ppt "1 Securing Mobile Networks in an Operational Setting Will Ivancic (216) 433-3494."

Similar presentations

Encrypting Wireless Data with VPN Techniques

Encrypting Wireless Data with VPN Techniques
Secure Mobile IP Communication

Secure Mobile IP Communication
Transitioning to IPv6 April 15,2005 Presented By: Richard Moore PBS Enterprise Technology.

Transitioning to IPv6 April 15,2005 Presented By: Richard Moore PBS Enterprise Technology.
Project by: Palak Baid (pb2358) Gaurav Pandey (gip2103) Guided by: Jong Yul Kim.

Project by: Palak Baid (pb2358) Gaurav Pandey (gip2103) Guided by: Jong Yul Kim.
LMF/TTR Raimo Vuopionperä 6WINIT: Ericsson (Research) Objectives (6WINIT Kick-Off, London) Raimo Vuopionperä (Ph. D.), NomadicLab (LMF/TTR)

LMF/TTR Raimo Vuopionperä 6WINIT: Ericsson (Research) Objectives (6WINIT Kick-Off, London) Raimo Vuopionperä (Ph. D.), NomadicLab (LMF/TTR)
Dynamic Tunnel Management Protocol for IPv4 Traversal of IPv6 Mobile Network Jaehoon Jeong Protocol Engineering Center, ETRI

Dynamic Tunnel Management Protocol for IPv4 Traversal of IPv6 Mobile Network Jaehoon Jeong Protocol Engineering Center, ETRI
©2012 ClearOne Communications. Confidential and proprietary. COLLABORATE ® Video Conferencing Networking Basics.

©2012 ClearOne Communications. Confidential and proprietary. COLLABORATE ® Video Conferencing Networking Basics.
Security in VoIP Networks Juan C Pelaez Florida Atlantic University Security in VoIP Networks Juan C Pelaez Florida Atlantic University.

Security in VoIP Networks Juan C Pelaez Florida Atlantic University Security in VoIP Networks Juan C Pelaez Florida Atlantic University.
1 Mobile IP Myungchul Kim Tel: 042-866-6127.

1 Mobile IP Myungchul Kim Tel:
1 Securing Mobile Networks An Enabling Technology for National and International Security and Beyond.

1 Securing Mobile Networks An Enabling Technology for National and International Security and Beyond.
K. Salah 1 Chapter 31 Security in the Internet. K. Salah 2 Figure 31.5 Position of TLS Transport Layer Security (TLS) was designed to provide security.

K. Salah 1 Chapter 31 Security in the Internet. K. Salah 2 Figure 31.5 Position of TLS Transport Layer Security (TLS) was designed to provide security.
Hands-On Microsoft Windows Server 2003 Administration Chapter 11 Administering Remote Access Services.

Hands-On Microsoft Windows Server 2003 Administration Chapter 11 Administering Remote Access Services.
This work is supported by the National Science Foundation under Grant Number DUE-0302909. Any opinions, findings and conclusions or recommendations expressed.

This work is supported by the National Science Foundation under Grant Number DUE Any opinions, findings and conclusions or recommendations expressed.
A Study of Mobile IP Kunal Ganguly Wichita State University CS843 – Distributed Computing.

A Study of Mobile IP Kunal Ganguly Wichita State University CS843 – Distributed Computing.
Computer Networks IGCSE ICT Section 4.

Computer Networks IGCSE ICT Section 4.
TCP/IP Addressing Design. Objectives Choose an appropriate IP addressing scheme based on business and technical requirements Identify IP addressing problems.

TCP/IP Addressing Design. Objectives Choose an appropriate IP addressing scheme based on business and technical requirements Identify IP addressing problems.
Virtual Private Network prepared by Rachna Agrawal Lixia Hou.

Virtual Private Network prepared by Rachna Agrawal Lixia Hou.
PROS & CONS of Proxy Firewall

PROS & CONS of Proxy Firewall
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Addressing the Network – IPv4 Network Fundamentals – Chapter 6.

© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Addressing the Network – IPv4 Network Fundamentals – Chapter 6.
Mobile IP Performance Issues in Practice. Introduction What is Mobile IP? –Mobile IP is a technology that allows a mobile node (MN) to change its point.

Mobile IP Performance Issues in Practice. Introduction What is Mobile IP? –Mobile IP is a technology that allows a "mobile node" (MN) to change its point.

Similar presentations

Ads by Google