Presentation is loading. Please wait.

Presentation is loading. Please wait.

Glenn Research Center Satellite Networks & Architectures Branch Communications Technology Division I-CNS Workshop April/May, 2002 1 Securing Mobile and.

Published byFelix Logan Gardner Modified over 9 years ago

Similar presentations

Presentation on theme: "Glenn Research Center Satellite Networks & Architectures Branch Communications Technology Division I-CNS Workshop April/May, 2002 1 Securing Mobile and."— Presentation transcript:

1

2 Glenn Research Center Satellite Networks & Architectures Branch Communications Technology Division I-CNS Workshop April/May, 2002 1 Securing Mobile and Wireless Networks Will Ivancic wivancic@grc.nasa.gov 216-433-3494

3 Glenn Research Center Satellite Networks & Architectures Branch Communications Technology Division I-CNS Workshop April/May, 2002 2 Outline Network Security, What is it? Security Truths Mobile and Wireless Networks Issues / Challenges USCG/NASA/Cisco Neah Bay Project Military Scenarios Conclusions

4 Glenn Research Center Satellite Networks & Architectures Branch Communications Technology Division I-CNS Workshop April/May, 2002 3 Network Security – What is it? !!! Policy !!! Encryption AAA (Authentication, Authorization and Accounting) Architecture Confidentiality Prevention, Detection and Correction

5 Glenn Research Center Satellite Networks & Architectures Branch Communications Technology Division I-CNS Workshop April/May, 2002 4 Security Truths 1.Security is necessary 2.Security is painful - At least to date it is 3.Security breaks everything - Well, enough things so that it appears to break everything - Lots of ingenuity required to make things work New IETF End-to-End concept/reality is application-to-application rather than to machine-to-machine  due to middleware.

6 Glenn Research Center Satellite Networks & Architectures Branch Communications Technology Division I-CNS Workshop April/May, 2002 5 Security Truths Security  Bandwidth Utilization  Security  Performance  Tunnels Tunnels Tunnels and more Tunnels Performance  Security   User turns OFF Security to make system usable! Thus, we need more bandwidth to ensure security. PAYLOADHEADER ORIGINAL PACKET HEADER VIRTUAL PRIVATE NETWORK HEADER ENCRYPTION AT THE NETWORK LAYER HEADER ENCRYPTION ON THE RF LINK

7 Glenn Research Center Satellite Networks & Architectures Branch Communications Technology Division I-CNS Workshop April/May, 2002 6 Mobile and Wireless Networks What Do We Mean?

8 Glenn Research Center Satellite Networks & Architectures Branch Communications Technology Division I-CNS Workshop April/May, 2002 7 Entire Networks in Motion - Mobile Router (One View)

9 Glenn Research Center Satellite Networks & Architectures Branch Communications Technology Division I-CNS Workshop April/May, 2002 8 Mobile Network (Another View) Mobile users rather than mobile networks VPNs Dial-In Wireless LANs DHCP  This is what the corporate user of the airborne Internet “sees” as mobility  This is the cabin environment

10 Glenn Research Center Satellite Networks & Architectures Branch Communications Technology Division I-CNS Workshop April/May, 2002 9 Issues and Challenges

11 Public Internet FA MR US Coast Guard Canadian Coast Guard ACME Shipping HA ACME SHIPPING MR US Navy Shared Infrastructure If I run encryption on the wireless links, it will be very difficult to share infrastructure – Policy and Architecture

12 Glenn Research Center Satellite Networks & Architectures Branch Communications Technology Division I-CNS Workshop April/May, 2002 11 Asymmetrical Pathing Mobile Router MilStar, Globalstar, Others DVB Satellite Internet Home AgentForeign Agent Bi-directional links are often assumed. Unidirectional links can be problematic for encryption and AAA.

13 Glenn Research Center Satellite Networks & Architectures Branch Communications Technology Division I-CNS Workshop April/May, 2002 12 Reparenting the HA in Mobile-IP Primary Home Agent Secondary Home Agent Reparenting Home Agent Helps resolve triangular routing Problem over long distances X Encryption associations break when handing off between networks 

14 Glenn Research Center Satellite Networks & Architectures Branch Communications Technology Division I-CNS Workshop April/May, 2002 13 Key Distribution Painful Difficult Needs to be worked to be more manageable and scalable Problem grows as network grows Sharing infrastructure makes the problem more difficult Military key distribution is even worse Fortunately, this problems is being addressed by industry

15 Glenn Research Center Satellite Networks & Architectures Branch Communications Technology Division I-CNS Workshop April/May, 2002 14 Middleware Firewalls Network Address Translators (NATs) Performance Enhancing Proxies Load Sharing Devices Traffic Shapers Web Accelerators Transparent Proxies Normalizers

16 Glenn Research Center Satellite Networks & Architectures Branch Communications Technology Division I-CNS Workshop April/May, 2002 15 Middleware Middleware is a reality and it doesn’t appear to be going away. Rather its use is increasing – particularly with regard to network security This patchwork of "goop" we’re putting in the network may be degrading the performance of the network. It is defiantly degrading our ability to figure out what is wrong with the network. We need to consider how the architecture should be changed to meet some of the challenges the network faces today that were not issues when the original vision was developed. –Deep thinking on architectural principles for the new millennium.

17 Glenn Research Center Satellite Networks & Architectures Branch Communications Technology Division I-CNS Workshop April/May, 2002 16 Example #1 GRC personnel ran what appeared to be a complete successful transaction from inside the GRC firewall to a machine at BBN that was outside the GRC firewall. –Problem was that the BBN machine had been turned off for six months! –GRC proxy spoofed the transaction. So you thought you sold you ENRON shares before it tanked, but you were wrong – only, you didn’t know it until it was to late. Or, you thought you sent a successful command to the aircraft, but you were wrong  –The Network Researchers say something is wrong, it is broken. –The Security Implementers say that is the way it is suppose to work.

18 Glenn Research Center Satellite Networks & Architectures Branch Communications Technology Division I-CNS Workshop April/May, 2002 17 Example #2 Mobile-IP using IPv4 –GRC firewall blocks UDP traffic Need to open UDP port 436 –Security Issue (Policy) –Triangular routing squashed at GRC proxy/NAT Responses to transactions that originated outside the firewall are blocked by the proxy/NAT which is holding state. –Proxy never saw transaction initiated from within GRC network, so response to the transaction is blocked. –Reverse tunneling solves problem, at a cost of increased overhead and time delay Home Network Foreign Agent Router ProxyProxy Internet Corresponding Node Mobile Unit

19 Glenn Research Center Satellite Networks & Architectures Branch Communications Technology Division I-CNS Workshop April/May, 2002 18 Middleware and Encryption Encryption renders most (if not all) Performance Enhancing Proxies (PEPs) useless relative to the encrypted flow. Many types of encryption make QoS engineering problematic –Protocol header bits hidden (IP in IP) –TOS header bits may be hidden

20 Neah Bay / Mobile Router Project Clevelan d Detroit Foreign-Agent Somewhere, USA Foreign-Agent Home-Agent Anywhere, USA Internet Neah Bay Outside of wireless LAN range, connected to FA via Inmarsat. Neah Bay Connected to FA via wireless LAN at Cleveland harbor

21 Glenn Research Center Satellite Networks & Architectures Branch Communications Technology Division I-CNS Workshop April/May, 2002 20 Security Issues Being Addressed Shared Infrastructure Wireless LAN Security –Advancements to WEP Mixed Address Space –NATs and Proxies Low Rate Links Satellite Links Performance over multiple tunnels Manageable and Scaleable Architecture

22 Internet WB Satellite FA MR FA - CLEVELAND HA FA - DETROIT IPSec tunneled link from open Internet to HA Satellite Antenna System VOIP Taclane SW Interim Solution – HA Directly connected to Internet via DSL WB Tachyon FA – Pelee Island? USCG Intranet DSL ISP Satellite ISP DSL / with Subnet ? GlobalStar or INMARSAT HA (Loopback has Public Address) Public Address Wireless Encryption RF Encryption Layer-3 Network Encryption Type 1 Encryption

23 MR Public Mobile LAN 10.x.x.x INTERNET INTRANET 10.x.x.x FA – Cleveland Public HA Public PIX- 506 – until we install our PIX FW Then we should not need the baby PIX. PROXY/NAT PIX-506 802.11b link FA - Detroit

24 Glenn Research Center Satellite Networks & Architectures Branch Communications Technology Division I-CNS Workshop April/May, 2002 23 Protect the MR LAN Firewall between MR LAN and MR as well as HA and Private Intranet Tunnels necessary between FAs on Internet and Firewall to provide connection of private address space over public Internet. Reverse tunneling required as requests from MR LAN hosts must pass through Proxy inside main firewall.

25 Glenn Research Center Satellite Networks & Architectures Branch Communications Technology Division I-CNS Workshop April/May, 2002 24 HA Outside/Collocated with Main Firewall Firewall between MR interfaces and public Internet as well as FA interfaces connecting to the private Intranet and the HA and Private Intranet. Multiple VPNs required. One for each possible interface combination. Tunnels necessary between FAs on Internet and Firewall to provide connection of private address space over public Internet. Reverse tunneling required as requests from MR LAN hosts must pass through Proxy inside main firewall. VPNs take care of this.

26 Military Applications Battle Group C Battle Group B AWACSUAV Intelligence Control Center Artillery Support Group Battle Group Command Center (BGCC) Tactical data forwarded from surveillance satellites to the BGCC. Communications link between BGCC and the Field Command Posts Foreign-Agent deployed in UAV Foreign-Agent deployed in UAV Battle Group A Mobile-Router deployed in Armored Field Units. Mobile-Router deployed in Airborne Support Units. Mobile-Router deployed in Field Units. Mobile-Router deployed in Field Artillery Units. Foreign-Agent deployed in Tracked Command Post Carrier. Foreign-Agent deployed in Mobile Command Post. Foreign-Agent deployed in Mobile Command Post. Home-Agent deployed in BGCC

27 Glenn Research Center Satellite Networks & Architectures Branch Communications Technology Division I-CNS Workshop April/May, 2002 26 ATN Security Notes Encryption –Still under development –Asymmetric Cryptography (Public/Private Keys) Session Specify Secret Key (variant of Diffie-Hellman) Message Authentication –HMAC, IETF RFC 2104 –Hash Function(Secure Hash Algorithm Revision One NIST) Authentication –Digital Signature (elliptic curve variant of Digital Signature Algorithm) –Hash Function –Asymmetric Enciphered (private key) –Certificate Authority –Cross-certificates

28 Glenn Research Center Satellite Networks & Architectures Branch Communications Technology Division I-CNS Workshop April/May, 2002 27 Example of Cryptographic Services Can CPDLC bandwidth handle encryption and AAA?

29 Glenn Research Center Satellite Networks & Architectures Branch Communications Technology Division I-CNS Workshop April/May, 2002 28 Example of Certificate Environment

30 Glenn Research Center Satellite Networks & Architectures Branch Communications Technology Division I-CNS Workshop April/May, 2002 29 Conclusions Security is necessary, albeit often painful Key distribution and AAA methods need to be developed that ease the deployment We need to be aware of middleware Increased security requires increased bandwidth and connectivity A mobile networks means different things to different people –Mobile user –Entire networks in motion To much security may result in less security –Security bypassed for the sake of performance!

Download ppt "Glenn Research Center Satellite Networks & Architectures Branch Communications Technology Division I-CNS Workshop April/May, 2002 1 Securing Mobile and."

Similar presentations

Secure Mobile IP Communication

Secure Mobile IP Communication
Mobile IP Outline Intro to mobile IP Operation Problems with mobility.

Mobile IP Outline Intro to mobile IP Operation Problems with mobility.
Transitioning to IPv6 April 15,2005 Presented By: Richard Moore PBS Enterprise Technology.

Transitioning to IPv6 April 15,2005 Presented By: Richard Moore PBS Enterprise Technology.
© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 W. Schulte Chapter 5: Network Address Translation for IPv4  Connecting.

© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 W. Schulte Chapter 5: Network Address Translation for IPv4  Connecting.
© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Lecture15: Network Address Translation for IPv4 Connecting Networks.

© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Lecture15: Network Address Translation for IPv4 Connecting Networks.
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Addressing the Network – IPv4 Network Fundamentals – Chapter 6.

© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Addressing the Network – IPv4 Network Fundamentals – Chapter 6.
IUT– Network Security Course 1 Network Security Firewalls.

IUT– Network Security Course 1 Network Security Firewalls.
Information Security 1 Information Security: Security Tools Jeffy Mwakalinga.

Information Security 1 Information Security: Security Tools Jeffy Mwakalinga.
1 Mobile IP Myungchul Kim Tel: 042-866-6127.

1 Mobile IP Myungchul Kim Tel:
Information System Security AABFS-Jordan Summer 2006 IP Security Supervisor :Dr. Lo'ai Ali Tawalbeh Done by: Wa’el Musa Hadi.

Information System Security AABFS-Jordan Summer 2006 IP Security Supervisor :Dr. Lo'ai Ali Tawalbeh Done by: Wa’el Musa Hadi.
1 Network Architecture and Design Advanced Issues in Internet Protocol (IP) IPv4 Network Address Translation (NAT) IPV6 IP Security (IPsec) Mobile IP IP.

1 Network Architecture and Design Advanced Issues in Internet Protocol (IP) IPv4 Network Address Translation (NAT) IPV6 IP Security (IPsec) Mobile IP IP.
IPsec: Internet Protocol Security Chong, Luon, Prins, Trotter.

IPsec: Internet Protocol Security Chong, Luon, Prins, Trotter.
Network Security Topologies Chapter 11. Learning Objectives Explain network perimeter’s importance to an organization’s security policies Identify place.

Network Security Topologies Chapter 11. Learning Objectives Explain network perimeter’s importance to an organization’s security policies Identify place.
Internet Protocol Security An Overview of IPSec. Outline:  What Security Problem?  Understanding TCP/IP.  Security at What Level?  IP Security. 

Internet Protocol Security An Overview of IPSec. Outline:  What Security Problem?  Understanding TCP/IP.  Security at What Level?  IP Security. 
1 Securing Mobile Networks An Enabling Technology for National and International Security and Beyond.

1 Securing Mobile Networks An Enabling Technology for National and International Security and Beyond.
K. Salah 1 Chapter 31 Security in the Internet. K. Salah 2 Figure 31.5 Position of TLS Transport Layer Security (TLS) was designed to provide security.

K. Salah 1 Chapter 31 Security in the Internet. K. Salah 2 Figure 31.5 Position of TLS Transport Layer Security (TLS) was designed to provide security.
Secure communications Week 10 – Lecture 2. To summarise yesterday Security is a system issue Technology and security specialists are part of the system.

Secure communications Week 10 – Lecture 2. To summarise yesterday Security is a system issue Technology and security specialists are part of the system.
Security Awareness: Applying Practical Security in Your World

Security Awareness: Applying Practical Security in Your World
COS 420 Day 20. Agenda Group Project Discussion Protocol Definition Due April 12 Paperwork Due April 29 Assignment 3 Due Assignment 4 is posted Last Assignment.

COS 420 Day 20. Agenda Group Project Discussion Protocol Definition Due April 12 Paperwork Due April 29 Assignment 3 Due Assignment 4 is posted Last Assignment.
Chapter 6 IP Security. Outline Internetworking and Internet Protocols (Appendix 6A) IP Security Overview IP Security Architecture Authentication Header.

Chapter 6 IP Security. Outline Internetworking and Internet Protocols (Appendix 6A) IP Security Overview IP Security Architecture Authentication Header.

Similar presentations

Ads by Google