Presentation is loading. Please wait.

Presentation is loading. Please wait.

Securing Mobile Networks

Published byLeonardo Palma Caldas Modified over 5 years ago

Similar presentations

Presentation on theme: "Securing Mobile Networks"— Presentation transcript:

1 Securing Mobile Networks
An Enabling Technology for National and International Security and Beyond

2 Goals for November 6th Highlight Mobile Networking Technology
Emphasizing National and International Security today due to time limitations. Discuss security policy Enabling shared infrastructure (when reasonable) Next Steps (Afternoon Session) Other Items (Afternoon Session)

3 Today’s Audience Big Picture People Policy Makers Media Code Writers
Implementers Please, don’t be afraid to ask questions.

4 Neah Bay / Mobile Router Project
Cleveland Detroit Foreign-Agent Somewhere, USA Home-Agent Anywhere, USA Internet Neah Bay Outside of wireless LAN range, connected to FA via Globalstar. Connected to FA via wireless LAN at Cleveland harbor

5 Why NASA/USCG/Industry
Real world deployment issues can only be addressed in an operational network. USCG has immediate needs, therefore willingness to work the problem. USCG has military network requirements. USCG is large enough network to force us to investigate full scale deployment issues USCG is small enough to work with. NASA has same network issues regarding mobility, security, network management and scalability.

6 Mobile-Router Advantages
Share wireless and network resources with other organizations $$$ savings Set and forget No onsite expertise required However, you still have to engineer the network Continuous Connectivity (May or may not be important to your organization) Robust Secondary Home Agent (Reparenting of HA)

7 Mobile Network Design Goals
Secure Scalable Manageable Ability to sharing network infrastructure Robust

8 Shared Network Infrastructure
Public Internet FA MR US Coast Guard Canadian Coast Guard ACME Shipping HA ACME SHIPPING US Navy Encrypting wireless links makes it very difficult to share infrastructure. This is a policy issue.

9 Secondary Home Agent (reparenting the HA)
X Secondary Home Agent Primary Home Agent Reparenting Home Agent Helps resolve triangular routing Problem over long distances

10 Emergency Backup (Hub / Spoke Network)
If primary control site becomes physically inaccessible but can be electronically connected, a secondary site can be established. If primary control site is physically incapacitated, there is no backup capability.

11 Secondary Home Agent (Fully Meshed Network)
If primary control site is physically incapacitated, a second or third or forth site take over automatically. 3 5 1 2 4

12 We Are Running with Reverse Tunneling
Pros Ensures topologically correct addresses on foreign networks Required as requests from MR LAN hosts must pass through Proxy inside main firewall Greatly simplifies setup and management of security associations in encryptors Greatly simplifies multicast – HA makes for an excellent rendezvous point. Cons Uses additional bandwidth Destroys route optimization

13 Encryption Mobile LAN 10.x.x.x MR Tunnel Endpoint (Public Space) PROXY USCG INTRANET 10.x.x.x INTERNET FIREWALL FA - Detroit Encryption HA HA Tunnel Endpoint (Public Space) 802.11b link FA – Cleveland Public Address

14 Open Network Data Transfers Dock Encryption Mobile LAN 10.x.x.x EAST
WEST PROXY USCG INTRANET 10.x.x.x INTERNET FIREWALL FA - Detroit Dock Encryption EAST WEST HA FA Cleveland 802.11b link Public Address USCG Officer’s Club

15 Encrypted Network Data Transfers
Dock Encryption Mobile LAN 10.x.x.x EAST WEST PROXY USCG INTRANET 10.x.x.x INTERNET FIREWALL FA - Detroit Encryption EAST WEST HA Dock FA Cleveland 802.11b link Public Address USCG Officer’s Club

16 Monitoring Points Dock Encryption Mobile LAN 10.x.x.x EAST WEST USCG
PROXY USCG INTRANET 10.x.x.x INTERNET FIREWALL Open Network Monitoring Point FA - Detroit Encryption EAST WEST HA Dock FA Cleveland 802.11b link Open Network Monitoring Point Public Address USCG Officer’s Club

17 We are using lots of bandwidth
Note, We are monitoring The Neah Bay. We are using lots of bandwidth To do this. Dock Encryption Mobile LAN 10.x.x.x EAST WEST PROXY USCG INTRANET 10.x.x.x INTERNET FIREWALL FA - Detroit Dock Encryption EAST WEST HA FA Cleveland 802.11b link Public Address USCG Officer’s Club

18 We are using lots of bandwidth
Note, We are monitoring The Neah Bay. We are using lots of bandwidth To do this. Dock Encryption Mobile LAN 10.x.x.x EAST WEST PROXY USCG INTRANET 10.x.x.x INTERNET FIREWALL FA - Detroit Dock Encryption EAST WEST HA FA Cleveland 802.11b link Public Address USCG Officer’s Club

19 RF Bandwidth 7 Kbps to 56 Kbps in 7 Kbps chunks (1 to 2.5 seconds delay) Dock 11.0 Mbps (auto-negotiated and shared with Officer’s Club) Encryption Mobile LAN 10.x.x.x EAST 1.0 Mbps (manually set) WEST 1.0 Mbps (manually set)

20 Wireless Only? Wireless can be jammed
Particularly unlicensed spectrum such as Satellites is a bit harder Solution is to find interferer and make them stop. You still want land line connections Mobile Routing can be used over land lines.

21 Globalstar/Sea Tel MCM-8
Initial market addresses maritime and pleasure boaters. Client / Server architecture Current implementation requires call to be initiated by client (ship). Multiplexes eight channels to obtain 56 kbps total data throughput. Full bandwidth-on-demand. Requires use of Collocated Care-of-Address

22 Satellite Coverage Globalstar INMARSAT From SaVi

23 Sea Tel Tracking Antenna
Layer 2 Technology Globalstar MCM-8 L3-Comm 15 dBic Tracking Antenna Hypergain 802.11b Flat Panel 8 dBi Dipole Sea Tel Tracking Antenna

24 Backbone Network Topology Detail Network Diagram (Intentionally Blank)

25 Neah Bay Network Topology Detail Network Diagram (Intentionally Blank)

26 USCG Officer’s Club Network Topology Detail Network Diagram
(Intentionally Blank)

27 Securing Mobile and Wireless Networks
Some ways may be “better” than others!

28 Constraints / Tools Policy Architecture Protocols

29 (Private Address Space)
IPv4 Utopian Operation CN US Coast Guard Operational Network (Private Address Space) Public Internet US Coast Guard Mobile Network HA Triangular Routing FA MR

30 IPv4 “Real World” Operation
CN Proxy had not originated the request; therefore, the response is squelched. Peer-to-peer networking becomes problematic at best. Glenn Research Center Policy: No UDP, No IPSec, etc… Mobile-IP stopped in its tracks. What’s your policy? US Coast Guard Operational Network (Private Address Space) Public Internet P R O X y US Coast Guard Mobile Network HA USCG Requires 3DES encryption. WEP is not acceptable due to known deficiencies. Ingress or Egress Filtering stops Transmission due to topologically Incorrect source address. IPv6 Corrects this problem. FA MR

31 Current Solution – Reverse Tunneling
CN Adds Overhead and kills route optimization. US Coast Guard Operational Network (Private Address Space) Public Internet P R O X y US Coast Guard Mobile Network HA FA Anticipate similar problems for IPv6. MR

32 Shared Network Infrastructure
Public Internet FA MR US Coast Guard Canadian Coast Guard ACME Shipping HA ACME SHIPPING US Navy Encrypting wireless links makes it very difficult to share infrastructure. This is a policy issue.

33 Security Security  Bandwidth Utilization  Security  Performance 
Tunnels Tunnels Tunnels and more Tunnels Performance  Security   User turns OFF Security to make system usable! Thus, we need more bandwidth to ensure security. HEADER ENCRYPTION ON THE RF LINK HEADER ENCRYPTION AT THE NETWORK LAYER HEADER VIRTUAL PRIVATE NETWORK PAYLOAD HEADER ORIGINAL PACKET

34 Additional and Future Security Solutions
AAA Routers (available today) Wireless bridges and access points (available 2002) IPSec on router interface Encrypted radio links IPSec, type1 or type2, and future improved WEP

35 Conclusions Security Breaks Everything 
At least it sometimes feels like that. Need to change policy where appropriate. Need to develop good architectures that consider how the wireless systems and protocols operate. Possible solutions that should be investigated: Dynamic, Protocol aware firewalls and proxies. Possibly incorporated with Authentication and Authorization.

36 Moblile-IP Operation IPv4

37 Mobile-IP (IPv4) Mobile Node Foreign Agent Foreign Agent
“ ” Home IP Care-Off-Address Foreign Agent Foreign Agent NASA Glenn NASA Ames Internet or Intranet NASA Goddard Corresponding Node Home Agent

38 Mobile-Router (IPv4) Mobile Router
Virtual LAN Interface Mobile Router (Mobile Node) Roaming Interface Tunnel-0 MR Loopback Virtual Interface COA FA WAN Tunnel-1 Foreign Agent Internet WAN Internet Internet WAN Home Agent HA Loopback Virtual Interface Corresponding Node

39 Collocated Care-Of-Address
Mobile-Router (IPv4) Collocated Care-Of-Address Virtual LAN Interface Mobile Router (Mobile Node) Roaming Interface Tunnel-0 MR Loopback Virtual Interface COA FA WAN No Foreign Agent No Second Tunnel Foreign Agent Tunnel-1 Internet WAN Internet Internet WAN Home Agent HA Loopback Virtual Interface Corresponding Node

40 Collocated Care-Of-Address
Mobile-Router (IPv4) Collocated Care-Of-Address Virtual LAN Interface Mobile Router (Mobile Node) Roaming Interface Tunnel-0 MR Loopback Virtual Interface COA Internet WAN Internet Internet WAN Home Agent HA Loopback Virtual Interface Corresponding Node

41 What’s Next The End Game

42 Mobile Networks Share Network Infrastructure Architecture
USCG, Canadian Coast Guard, Commercial Shipping, Pleasure Boaters Open Radio Access / Restricted Network Access Authentication, Authorization and Accounting Architecture Limited, experimental deployment onboard Neah Bay Move RIPv2 routing from Fed. Bldg to Neah Bay Move to full scale deployment Requires full commitment

43 PIX-506 Mobile LAN 10.x.x.x INTRANET 10.x.x.x MR Public INTERNET PROXY FA – Cleveland Public FA - Detroit HA Public 802.11b link PIX- 506 – until we install our PIX FW Then we should not need the baby PIX.

44 HA Outside Main Firewall
Firewall between MR interfaces and public Internet as well as the HA and Private Intranet. Reverse tunneling required as requests from MR LAN hosts must pass through Proxy inside main firewall.

45 Areas that need to be addressed
Home Agent Placement Inside or Outside the Firewall AAA Issues Open Radio Access / Restricted Network Access Secure Key Management IPv6 Mobile Networking Development Work with industry and IETF Develop radio link technology Enable better connectivity throughout the world for both military and aeronautical communications (voice, video and data).

46 NASA’s Needs Mobile Networks

47 Relevant NASA Aeronautics Programs
Advanced Air Transportation Technology (AATT) Weather Information Communication (WINCOMM) Small Aircraft Transportation System (SATS)

48 Aeronautic Networking Issues
Move to IPv6 IPv6 Mobile Networking Authentication, Authorization and Accounting Bandwidth, Bandwidth, Bandwidth Media Access Policy Sending of Operations over Entertainment Channels

49 Earth Observation T3 T1 T2 ?

50 Our vision is to leverage the explosive growth of the telecommunications industry through industry’s impressive technology advancements and potential new commercial satellite systems to provide global, interoperable,seamless connectivity to NASA missions. These technology products will leverage commercially provided capabilities to support inter-orbital, inter-satellite links with commercial space networks, intra-network links within science spacecraft constellations, while operating with terrestrial networks AS much as possible, future communications systems architectures will draw on existing and planned commercial satellite constellations and ground based infrastructures to meet NASA's needs. Using future NASA systems in conjunction with anticipated commercial space networks at higher frequencies will provide higher rate capability and enable reduction in component size, thereby reducing NASA mission development and operational costs.

51 Space Flight Implementation
Sharing Infrastructure Common Media Access Common Ground Terminal Capabilites Common Network Access AAA Common Modulation and Coding Software Radio

52 Backup

53 Asymmetrical Pathing DVB Satellite MilStar, Globalstar, Others
Mobile Router Internet Foreign Agent Foreign Agent Home Agent

54 Neah Bay

55 Papers and Presentations
or and pick “Papers and Presentations”

Download ppt "Securing Mobile Networks"

Similar presentations

Encrypting Wireless Data with VPN Techniques

Encrypting Wireless Data with VPN Techniques
Secure Mobile IP Communication

Secure Mobile IP Communication
Unisys Mobile CommHub – Inventing the Future Presented by: Edward Minyard, ITIL Partner Global Infrastructure Services.

Unisys Mobile CommHub – Inventing the Future Presented by: Edward Minyard, ITIL Partner Global Infrastructure Services.
Security in VoIP Networks Juan C Pelaez Florida Atlantic University Security in VoIP Networks Juan C Pelaez Florida Atlantic University.

Security in VoIP Networks Juan C Pelaez Florida Atlantic University Security in VoIP Networks Juan C Pelaez Florida Atlantic University.
Agenda Virtual Private Networks (VPNs) Motivation and Basics Deployment Topologies IPSEC (IP Security) Authentication Header (AH) Encapsulating Security.

Agenda Virtual Private Networks (VPNs) Motivation and Basics Deployment Topologies IPSEC (IP Security) Authentication Header (AH) Encapsulating Security.
Module 5: Configuring Access for Remote Clients and Networks.

Module 5: Configuring Access for Remote Clients and Networks.
1 Securing Mobile Networks An Enabling Technology for National and International Security and Beyond.

1 Securing Mobile Networks An Enabling Technology for National and International Security and Beyond.
K. Salah 1 Chapter 31 Security in the Internet. K. Salah 2 Figure 31.5 Position of TLS Transport Layer Security (TLS) was designed to provide security.

K. Salah 1 Chapter 31 Security in the Internet. K. Salah 2 Figure 31.5 Position of TLS Transport Layer Security (TLS) was designed to provide security.
Hands-On Microsoft Windows Server 2003 Administration Chapter 11 Administering Remote Access Services.

Hands-On Microsoft Windows Server 2003 Administration Chapter 11 Administering Remote Access Services.
© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod3_L7 1 Network Security 2 Module 6 – Configure Remote Access VPN.

© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod3_L7 1 Network Security 2 Module 6 – Configure Remote Access VPN.
Virtual Private Network prepared by Rachna Agrawal Lixia Hou.

Virtual Private Network prepared by Rachna Agrawal Lixia Hou.
Firewalls CS432. Overview  What are firewalls?  Types of firewalls Packet filtering firewalls Packet filtering firewalls Sateful firewalls Sateful firewalls.

Firewalls CS432. Overview  What are firewalls?  Types of firewalls Packet filtering firewalls Packet filtering firewalls Sateful firewalls Sateful firewalls.
Mobile IP Seamless connectivity for mobile computers.

Mobile IP Seamless connectivity for mobile computers.
Remote Access Chapter 4. Learning Objectives Understand implications of IEEE 802.1x and how it is used Understand VPN technology and its uses for securing.

Remote Access Chapter 4. Learning Objectives Understand implications of IEEE 802.1x and how it is used Understand VPN technology and its uses for securing.
1 Mobile Networking As Applied to Any Mobile Network Including Aeronautical Internets Airborne Internet Collaboration Group meeting April 17, 2003 Will.

1 Mobile Networking As Applied to Any Mobile Network Including Aeronautical Internets Airborne Internet Collaboration Group meeting April 17, 2003 Will.
Module 4: Designing Routing and Switching Requirements.

Module 4: Designing Routing and Switching Requirements.
Practical Considerations for Securely Deploying Mobility Will Ivancic NASA Glenn Research Center (216) 433-3494

Practical Considerations for Securely Deploying Mobility Will Ivancic NASA Glenn Research Center (216)
VIRTUAL PRIVATE NETWORK By: Tammy Be Khoa Kieu Stephen Tran Michael Tse.

VIRTUAL PRIVATE NETWORK By: Tammy Be Khoa Kieu Stephen Tran Michael Tse.
1 Mobile Networking Including Application to Aeronautical Internets ICNS Conference May 20, 2003 Will Ivancic –

1 Mobile Networking Including Application to Aeronautical Internets ICNS Conference May 20, 2003 Will Ivancic –
Universal, Ubiquitous, Unfettered Internet © 2000 3ui.com Pte Ltd Mobile Internet Protocol under IPv6 Amlan Saha 3UI.COM Global IPv6 Summit,

Universal, Ubiquitous, Unfettered Internet © ui.com Pte Ltd Mobile Internet Protocol under IPv6 Amlan Saha 3UI.COM Global IPv6 Summit,

Similar presentations

Ads by Google