Supporting A Laptop Environment Erick Engelke Faculty of Engineering University of Waterloo

Initial Requirements check client identity check client identity userid/password to authenticate, authorize and log usage userid/password to authenticate, authorize and log usage password verification (Active Directory) password verification (Active Directory) many similar solutions available (now) many similar solutions available (now) uncertain of other needs at that time uncertain of other needs at that time

Network Authentication Appliance homegrown box (FreeBSD) to: homegrown box (FreeBSD) to: authenticate against either of 2 Active Directories authenticate against either of 2 Active Directories authorize access authorize access log usage log usage act as router/firewall act as router/firewall

Observations laptops outsell desktops laptops outsell desktops expect continued growth of laptop usage expect continued growth of laptop usage new learning opportunities with laptops, but also new challenges for staff new learning opportunities with laptops, but also new challenges for staff chasing security and bandwidth issues is time- consuming for staff chasing security and bandwidth issues is time- consuming for staff

Part 1 Bandwidth Management (thanks to Bruce Campbell)

Bandwidth Problem laptops consistently became highest bandwidth consumers laptops consistently became highest bandwidth consumers chasing people for bandwidth usage is time consuming chasing people for bandwidth usage is time consuming is it possible to classify bandwidth as good/academic versus evil or recreational? is it possible to classify bandwidth as good/academic versus evil or recreational?

Good Versus Bad are their good and bad protocols? are their good and bad protocols? KAZAA, SKYPE are bad! KAZAA, SKYPE are bad! SSH is good! SSH is good! except except SKYPE for collaboration is good SKYPE for collaboration is good SSH used to tunnel bad protocols is bad SSH used to tunnel bad protocols is bad

What are we trying to solve? If the issue is excessive bandwidth consumption, we are trying to reduce unnecessary bandwidth!

Traffic Shaping flat rate shaping is common flat rate shaping is common to constrict to 2 GB/day: 20 kB/s yikes! Interactive web sites and good browsing are hindered to constrict to 2 GB/day: 20 kB/s yikes! Interactive web sites and good browsing are hindered 100 kB/s yields 2 DVD downloads per day using bittorrent, but still feels slow (30 seconds) downloading a 3 MB powerpoint slide 100 kB/s yields 2 DVD downloads per day using bittorrent, but still feels slow (30 seconds) downloading a 3 MB powerpoint slide

Analyze Typical Traffic Patterns consistent low traffic volume is fine sustained high volume is bad bursts of high traffic is typical web browsing, page editing, book reading, etc.

Traffic Shaping Summary fancy shaping algorithms like RED, WFQ, etc. are very coarse tools for bandwidth management fancy shaping algorithms like RED, WFQ, etc. are very coarse tools for bandwidth management they only measure what is going through the pipe, not what has gone through the pipe they only measure what is going through the pipe, not what has gone through the pipe we want a feedback loop! we want a feedback loop!

Toilet Tank Traffic Shaper emulate a toilet emulate a toilet resevoir of bandwidth resevoir of bandwidth high output flow high output flow small input flow small input flow users can enjoy a burst of bandwidth, but it slows to a trickle if you hold the lever users can enjoy a burst of bandwidth, but it slows to a trickle if you hold the lever release the lever and the reservoir refills, ready for the next download release the lever and the reservoir refills, ready for the next download

TTTS Settings tank size tank size maximum output rate maximum output rate maximum input rate maximum input rate minimum time to empty minimum time to empty causes output rate to decrease exponentially causes output rate to decrease exponentially full percent full percent level at which full output rate is available level at which full output rate is available

How It Works Internally uses FreeBSD’s flat rate traffic shaping uses FreeBSD’s flat rate traffic shaping cron job every minute cron job every minute looks at past traffic looks at past traffic ‘pipes’ are resized according to formula ‘pipes’ are resized according to formula high volume users see gradual slowing high volume users see gradual slowing when they stop, the speed increases when they stop, the speed increases “doctor it hurts when I do this” … “well stop doing that!” “doctor it hurts when I do this” … “well stop doing that!”

TTTS Settings at UW tank size: 200 MB tank size: 200 MB max bandwidth: unlimited max bandwidth: unlimited min bandwidth: 40 kB/s min bandwidth: 40 kB/s min empty time: 5 minutes min empty time: 5 minutes full percent: 80% full percent: 80% separate upload/download queues separate upload/download queues negligable effect on 95% of users negligable effect on 95% of users as if there were no rate limiting at all! as if there were no rate limiting at all! heavy bandwidth users not possible heavy bandwidth users not possible

Part 2 Client Admission Control MinUWet

Goal We want a strategy which encourages responsible client laptop management… antivirus installed, receiving windows updates

How to Encourage Security educate educate reward reward remind nag embarrass punish or

How to Encourage Security educate ? educate ? reward reward remind nag embarrass punish or

How to Encourage Security educate educate reward reward remind nag embarrass punish or

detect and zero in on problem OS’s detect and zero in on problem OS’s for Windows for Windows need Antivirus, Updates need Antivirus, Updates other OS’s must not be hinderred other OS’s must not be hinderred Goals

MinUWet NAA detects OS at login time NAA detects OS at login time vulnerable OS’s vulnerable OS’s placed into restricted mode, just HTTP access placed into restricted mode, just HTTP access that’s enough to get latest updates, definitions that’s enough to get latest updates, definitions Must run/pass our client validation tool (MinUWet) to get additional network protocols Must run/pass our client validation tool (MinUWet) to get additional network protocols other OS’s are not affected other OS’s are not affected

Not Entirely Original similar to Cisco’s Network Admission Control and MS Network Access Protection similar to Cisco’s Network Admission Control and MS Network Access Protection Cisco and MS systems are stronger, but less flexible and require big investment or waiting for release Cisco and MS systems are stronger, but less flexible and require big investment or waiting for release MinUWet doesn’t have to be perfect, just better than previous mess MinUWet doesn’t have to be perfect, just better than previous mess MinUWet can be retired upon better options MinUWet can be retired upon better options

Statistics from Two Week Trial just Faculty of Engineering just Faculty of Engineering 6486 wireless Windows users 6486 wireless Windows users ¼ of them failed MinUWet initially ¼ of them failed MinUWet initially ½ of failures were then fixed by users and staff ½ of failures were then fixed by users and staff Zero observed security threats (snort) Zero observed security threats (snort)

Campus-wide Deployment day 1 day 1 informed IT helpdesk staff informed IT helpdesk staff day 2 day 2 message in daily bulletin message in daily bulletin brief message at every wireless login brief message at every wireless login users may choose to test their systems users may choose to test their systems day 14 day 14 system goes live campus-wide in enforce mode system goes live campus-wide in enforce mode

Observations great for IT staff, no chasing people great for IT staff, no chasing people users of poorly managed systems informed users of poorly managed systems informed fast, takes only seconds fast, takes only seconds people don’t like running it every time people don’t like running it every time

MinUWet Memory Added laptops now validate only once per week laptops now validate only once per week 2/3 rd ’s of laptops are pre-approved 2/3 rd ’s of laptops are pre-approved still frequent enough to catch computers which fall out-of-scope of AV or patches still frequent enough to catch computers which fall out-of-scope of AV or patches

What We Learned client validation works, every school will get it eventually client validation works, every school will get it eventually some users know they will fail, so they live with HTTP- only access some users know they will fail, so they live with HTTP- only access IT support made more scalable IT support made more scalable may be a good idea for grad student wired computers, residences may be a good idea for grad student wired computers, residences

Wireless Needs (Revised) identity (auth/access/logging) identity (auth/access/logging) bandwidth management bandwidth management admission control admission control data encryption (VPN, 802.1X) data encryption (VPN, 802.1X) roaming – variety of options roaming – variety of options

Thank You