Presentation is loading. Please wait.

Presentation is loading. Please wait.

Eduroam JP and development of UPKI roaming Yoshikazu Watanabe*, Satoru Yamano* Hideaki Goto**, Hideaki Sone** * NEC Corporation, Japan ** Tohoku University,

Published byChastity Sullivan Modified over 8 years ago

Similar presentations

Presentation on theme: "Eduroam JP and development of UPKI roaming Yoshikazu Watanabe*, Satoru Yamano* Hideaki Goto**, Hideaki Sone** * NEC Corporation, Japan ** Tohoku University,"— Presentation transcript:

1 eduroam JP and development of UPKI roaming Yoshikazu Watanabe*, Satoru Yamano* Hideaki Goto**, Hideaki Sone** * NEC Corporation, Japan ** Tohoku University, Japan APAN24, Xi’an, 28 Aug. 2007

2 2 Contents UPKI project and network roaming eduroam in Japan Problems and solutions Access control of roaming users regarding local resources Summary

3 3 UPKI project and network roaming UPKI: University PKI (also referred to as: Inter- University Authentication and Authorization Platform) –Campus Ubiquitous Network (Tohoku Univ.) R&D of authentication/policy-based network control mechanism –Introduction of eduroam to Japan –R&D of UPKI roaming system Collaborative research by Tohoku Univ. and NEC

4 4 eduroam in Japan Aug. 31, Tohoku University connected to Asia-Pacific eduroam Sep. 28, eduroam JP website opened Dec., Connected to Asia-Pacific eduroam secondary server in Hong Kong Dec., Four organizations federated High Energy Accelerator Research Organization (KEK), National Institute of Informatics (NII), Hokkaido Univ., and Kyoto Univ. June, Kyushu University federated 2006 2007 Eduroam HP : http://www.eduroam.jp/

5 5 eduroam JP network JP Secondary JP Primary Hokkaido Univ. Tohoku Univ. Kyoto Univ. KEKNII AP Primary AP Secondary Hong KongAustralia Europe Kyushu Univ. The first eduroam AP in Japan

6 6 Scale –Lots of universities and colleges (87 national, 76 public, 571 private, and colleges; 1,200+ total as of Apr. 2006) –Large universities (some have 30,000+ people) Operational policy –Guest use of IP addresses owned by a visited institution for the Internet access is not acceptable ( ≒ illegal) in many cases. –Each institution has different network administration policies. Circumstance in Japan

7 7 Problem about scale Problem –Lots of universities and colleges → Configuring radius proxies is so hard Solution –Utilizing realms regular expression patch for FreeRADIUS A patch that enables to configure proxying with regular expressions Adopted to recent ver. of FreeRADIUS –RadSec is also expected to solve this problem, and further to enhance the flexibility of configuration.

8 8 Problem about operational policy Problem 1.Guest use of IP addresses in a visited institution is not acceptable. Responsible bodies become unclear. Visited institutions are often involved to resolve troubles. (e.g. cracking, illegal access) Cause a violation of subscription conditions of IP address-based licensing (e.g. online journals). 2.Each institution has different network administration policies. → Visited institutions need a way to authorize roaming guests’ accesses to local resources. VPN-only policy (for the Internet access) Exchange of user class information and access control for local resources

9 9 Proposed solutions (Campus Ubiquitous Network) RADIUS Local Resources (VPN) AP FW Clien t Home institution Visited institution Clien t supplicant S/W The Internet FW RADIUS Local Resources VPN AP FW supplicant S/W After authentication at AP, a user access VPN server and go outside. (Use a home IP address) 1.VPN-only policy Roaming users must use a home VPN server to access the Internet. (A direct access to the Internet from the visited institution network is prohibited.) Exchange of authorization information and access control 2.Exchange of user class information and access control for local resources Extension to eduroam authentication Our recent main theme

10 10 Exchange of user class information and access control for local resources Basic idea –Extend eduroam authentication procedure –A home radius server attaches user class information to a radius access-accept packet. –A radius server in a visited institution authorizes user accesses to local resources according to the received user class and local policies. → Realize access control for local resources Prototype implementation is done

11 11 User class Classification of users by common criteria in eduroam federation Each institution assigns user class to each user of the institution in advance.

12 12 Example of access control for local resources by user class local service (e.g. printer) AP Clien t Visited institution The Internet FW campus network FW 1 2 3 4 user class Users (class 1) cannot access local resources Users (class 2) can access only local network Users (class 3) can access campus network, but cannot access the internet directrly Users (class 4) can access the Internet directly

13 13 RADIUS Local Resources AP Clien t Visited Institution supplicant S/W FW Procedure : Access-Request Home Institution Clien t The Internet RADIUS Local Resources AP FW supplicant S/W FW A normal radius access request packet as usual in eduroam Start 802.1x authentication Authenticate and authorize the user Use eduroam to authenticate the user Send a radius access-request

14 14 RADIUS Local Resources AP Clien t Visited Institution supplicant S/W FW Procedure : Access-Accept Home Institution Clien t The Internet RADIUS Local Resources AP FW supplicant S/W FW A radius access accept packet with the user class information Retrieve the user class for the user, and send a radius access accept packet Authorize accesses to local resources using the user class and local policies

15 15 RADIUS Local Resources AP Clien t Visited Institution supplicant S/W FW Procedure : Access-Accept (cont.) Home Institution Clien t The Internet RADIUS Local Resources AP FW supplicant S/W FW 802.1x authentication succeeds Send a radius access-accept packet with information of authorized local resources Send an access-accept packet without information of authorized resources Set filtering rules according to the received information

16 16 RADIUS Local Resources AP Clien t Visited Institution supplicant S/W FW Procedure : access to local resources Home Institution Clien t The Internet RADIUS Local Resources AP FW supplicant S/W FW Filter traffic to local resources (block un-authorized accesses) Access to local resources

17 17 Issues to be examined The definition of the “user class” in eduroam –Representation, granularity, and so on How to realize and control the communication between roaming users and local resources Et cetera

18 18 Summary 6 institutions are participating in eduroam JP. Issues regarding roaming are revealed through the deployment of eduroam JP. Examining access control of roaming users regarding local resources

19 19 Thank you for your kind attention.

20 20 References

21 21 The problem about traceability visito r The Internet illegal access What if a visitor with IP address of visited institution did some attacks to servers outside ??? Visited Institution Home Institution Guest users using host’s IP addresses are recognized as members of the institution. A visitor cannot access the user’s home resources Host IP address

22 22 Traceability : case study 1 In univ-B, NW manager has to analyze the roaming logs, and contact univ-A to search for the user. University B is subscribing to an electronic journal X, while another university A is not. A student at univ-A goes to univ-B so he/she can download journal X using the WLAN roaming. Since the student downloaded too many articles at once, the publisher thought it was a violation of the subscription condition and sent a complaint to univ-B. User tracking and communications between universities are laborious. Even between departments in a university, such a user tracking is very difficult. It is also much more difficult between countries.

23 23 Traceability : case study 2 Some resources such as local web servers in univ-B are protected by an address-based access restriction. When people in univ-A visited univ-B, they could gain access to the resources using the WLAN roaming system. Even if the administrators of the web servers examine the access logs, the outsiders’ accesses cannot be noticed because the “local” IP addresses are used.

24 24 Possible solution for roaming issues Dedicated network Dedicated network might be useful for solving the responsibility problems. –User tracking remains difficult. WLAN users cannot use local resources. –can be either merit or demerit Internet campus LAN dedicated network Visited university Home university Publisher

25 25 VPN only solution Permitted protocols for roaming users VPN –PPTP (GRE(47) , (TCP/1723)) –OpenVPN (UDP/1194) –SSH (TCP/22) –IPsec NAT-traversal (UDP/4500) –Cisco IPsec (TCP/10000) –L2TP (UDP/1701) Others –pop3 (TCP/110) –pop3s (TCP/995) –imap4 (TCP/143) –imaps (TCP/993) –ssmtp (TCP/465) –msa (TCP/587)

Download ppt "Eduroam JP and development of UPKI roaming Yoshikazu Watanabe*, Satoru Yamano* Hideaki Goto**, Hideaki Sone** * NEC Corporation, Japan ** Tohoku University,"

Similar presentations

eduroam Delegate Authentication System with Shibboleth SSO

eduroam Delegate Authentication System with Shibboleth SSO
Enabling Secure Internet Access with ISA Server

Enabling Secure Internet Access with ISA Server
Terena Mobility Taskforce update Klaas Wierenga SURFnet.

Terena Mobility Taskforce update Klaas Wierenga SURFnet.
Network Security Essentials Chapter 11

Network Security Essentials Chapter 11
Firewalls By Tahaei Fall 2012. What is a firewall? a choke point of control and monitoring interconnects networks with differing trust imposes restrictions.

Firewalls By Tahaei Fall What is a firewall? a choke point of control and monitoring interconnects networks with differing trust imposes restrictions.
Guide to Network Defense and Countermeasures Second Edition

Guide to Network Defense and Countermeasures Second Edition
ITIS 1210 Introduction to Web-Based Information Systems Chapter 44 How Firewalls Work How Firewalls Work.

ITIS 1210 Introduction to Web-Based Information Systems Chapter 44 How Firewalls Work How Firewalls Work.
Firewalls Dr.P.V.Lakshmi Information Technology GIT,GITAM University

Firewalls Dr.P.V.Lakshmi Information Technology GIT,GITAM University
TF Mobility Group 22nd September 20031 A comparison of each national solution was made against Del C – “requirements”, the following solutions were assessed.

TF Mobility Group 22nd September A comparison of each national solution was made against Del C – “requirements”, the following solutions were assessed.
FIREWALLS. What is a Firewall? A firewall is hardware or software (or a combination of hardware and software) that monitors the transmission of packets.

FIREWALLS. What is a Firewall? A firewall is hardware or software (or a combination of hardware and software) that monitors the transmission of packets.
Module 5: Configuring Access for Remote Clients and Networks.

Module 5: Configuring Access for Remote Clients and Networks.
Network Isolation Using Group Policy and IPSec Paula Kiernan Senior Consultant Ward Solutions.

Network Isolation Using Group Policy and IPSec Paula Kiernan Senior Consultant Ward Solutions.
HIPAA Security Standards What’s happening in your office?

HIPAA Security Standards What’s happening in your office?
Security Firewall Firewall design principle. Firewall Characteristics.

Security Firewall Firewall design principle. Firewall Characteristics.
Access Control for Networks Problems: –Enforce an access control policy Allow trust relationships among machines –Protect local internet from outsiders.

Access Control for Networks Problems: –Enforce an access control policy Allow trust relationships among machines –Protect local internet from outsiders.
K. Salah 1 Chapter 31 Security in the Internet. K. Salah 2 Figure 31.5 Position of TLS Transport Layer Security (TLS) was designed to provide security.

K. Salah 1 Chapter 31 Security in the Internet. K. Salah 2 Figure 31.5 Position of TLS Transport Layer Security (TLS) was designed to provide security.
Security Issues on Distributed Systems 7 August, 1999 S 1 Prepared by : Lorrien K. Y. Lau Student I.D. : 97077200 7 August 1999 The Chinese University.

Security Issues on Distributed Systems 7 August, 1999 S 1 Prepared by : Lorrien K. Y. Lau Student I.D. : August 1999 The Chinese University.
Lesson 19: Configuring Windows Firewall

Lesson 19: Configuring Windows Firewall
Firewalls Presented By Hareesh Pattipati. Outline Introduction Firewall Environments Type of Firewalls Future of Firewalls Conclusion.

Firewalls Presented By Hareesh Pattipati. Outline Introduction Firewall Environments Type of Firewalls Future of Firewalls Conclusion.
Www.BeyondSecurity.comwww.SecurITeam.com Beyond Security Ltd. Port Knocking Beyond Security Noam Rathaus CTO Sunday, July 11, 2004 Presentation on.

Beyond Security Ltd. Port Knocking Beyond Security Noam Rathaus CTO Sunday, July 11, 2004 Presentation on.

Similar presentations

Ads by Google