Wbone: WLAN Roaming Based on Deep Security Zagreb, May 22 nd, 2003 Carsten Bormann Niels Pollem with...
-
date post
19-Dec-2015 -
Category
Documents
-
view
213 -
download
0
Transcript of Wbone: WLAN Roaming Based on Deep Security Zagreb, May 22 nd, 2003 Carsten Bormann Niels Pollem with...
![Page 1: Wbone: WLAN Roaming Based on Deep Security Zagreb, May 22 nd, 2003 Carsten Bormann Niels Pollem with a lot of help from TERENA TF Mobility.](https://reader034.fdocuments.in/reader034/viewer/2022050714/56649d2b5503460f949ffea9/html5/thumbnails/1.jpg)
Wbone:WLAN Roaming Based on Deep Security
Zagreb, May 22nd, 2003
Carsten Bormann <[email protected]>Niels Pollem <[email protected]>
with a lot of help from TERENA TF Mobility
![Page 2: Wbone: WLAN Roaming Based on Deep Security Zagreb, May 22 nd, 2003 Carsten Bormann Niels Pollem with a lot of help from TERENA TF Mobility.](https://reader034.fdocuments.in/reader034/viewer/2022050714/56649d2b5503460f949ffea9/html5/thumbnails/2.jpg)
2
WLAN Security: Requirements
Confidentiality (Privacy):
Nobody can understand foreign traffic
Insider attacks as likely as outsiders‘
Accountability:
We can find out who did something
Prerequisite: Authentication
![Page 3: Wbone: WLAN Roaming Based on Deep Security Zagreb, May 22 nd, 2003 Carsten Bormann Niels Pollem with a lot of help from TERENA TF Mobility.](https://reader034.fdocuments.in/reader034/viewer/2022050714/56649d2b5503460f949ffea9/html5/thumbnails/3.jpg)
3
Security is rarely easy
![Page 4: Wbone: WLAN Roaming Based on Deep Security Zagreb, May 22 nd, 2003 Carsten Bormann Niels Pollem with a lot of help from TERENA TF Mobility.](https://reader034.fdocuments.in/reader034/viewer/2022050714/56649d2b5503460f949ffea9/html5/thumbnails/4.jpg)
4
WLAN Security: Approaches
AP-based Security: AP is network boundaryWEP (broken), WEP fixes, WPA, …802.1X (EAP variants + RADIUS) + 802.11i
Network based Security: deep securityVPNs needed by mobile people anywaySSH, PPTP, IPsec
Allow development of security standards Some VPN technologies are IPv6 enabled
AP-based security not needed anymore!
![Page 5: Wbone: WLAN Roaming Based on Deep Security Zagreb, May 22 nd, 2003 Carsten Bormann Niels Pollem with a lot of help from TERENA TF Mobility.](https://reader034.fdocuments.in/reader034/viewer/2022050714/56649d2b5503460f949ffea9/html5/thumbnails/5.jpg)
5
Intranet X
Dockingnetwork
Campusnetwork
world
VPN-Gateways
DHCP, DNS, free Web
![Page 6: Wbone: WLAN Roaming Based on Deep Security Zagreb, May 22 nd, 2003 Carsten Bormann Niels Pollem with a lot of help from TERENA TF Mobility.](https://reader034.fdocuments.in/reader034/viewer/2022050714/56649d2b5503460f949ffea9/html5/thumbnails/6.jpg)
6
“Standard Architecture” (DE)
all Access Points in one Layer-2 VLAN (RFC 1918) – docking network use specific SSID (“Uni-Bremen”) for access (explicit!)
little infrastructure in docking network DHCP, DNS, “free services” (internal Web)
one VPN-Gateway each for target networks Campus Network, workgroups, possibly w/ Firewalls decentralize SSH, PPTP, IPsec clients for all platforms Gateway Cheap hardware (PC w/ Linux)
“standard” = used in many German universities
![Page 7: Wbone: WLAN Roaming Based on Deep Security Zagreb, May 22 nd, 2003 Carsten Bormann Niels Pollem with a lot of help from TERENA TF Mobility.](https://reader034.fdocuments.in/reader034/viewer/2022050714/56649d2b5503460f949ffea9/html5/thumbnails/7.jpg)
7
WLAN Access Control:Why VPN based? Historically, more reason to trust L3 security than L2
IPSec has lots of security analysis behind it
Available for just about everything (Windows 98, PDA etc.) Easy to accommodate multiple security contexts
Even with pre-2003 infrastructureData is secure in the air and up to VPN gateway
Most of all: It just works™
![Page 8: Wbone: WLAN Roaming Based on Deep Security Zagreb, May 22 nd, 2003 Carsten Bormann Niels Pollem with a lot of help from TERENA TF Mobility.](https://reader034.fdocuments.in/reader034/viewer/2022050714/56649d2b5503460f949ffea9/html5/thumbnails/8.jpg)
8
WLAN Access Control:Why 802.1X is better 802.1X is taking over the world anyway The EAP/XYZ people are finally getting it right
Only 5 more revisions before XYZ wins wide vendor support Available for more and more systems (Windows 2000 up) Distribute hard crypto work to zillions of access points Block them as early as possible
More control to visited site admin, too! Easy to accommodate multiple security contexts
with Cisco 1200 and other products (to be shipped)
Most of all: It just works™
![Page 9: Wbone: WLAN Roaming Based on Deep Security Zagreb, May 22 nd, 2003 Carsten Bormann Niels Pollem with a lot of help from TERENA TF Mobility.](https://reader034.fdocuments.in/reader034/viewer/2022050714/56649d2b5503460f949ffea9/html5/thumbnails/9.jpg)
9
WLAN Access Control:Why Web-based filtering is better No software (everybody has a browser) Ties right into existing user/password schemes Can be made to work easily for guest users
It’s what the hotspots use, so guest users will know it alreadyMay be able to tie in with Greenspot etc.
Privacy isn’t that important anyway (use TLS and SSH) Accountability isn’t that important anyway
Most of all: It just works™
![Page 10: Wbone: WLAN Roaming Based on Deep Security Zagreb, May 22 nd, 2003 Carsten Bormann Niels Pollem with a lot of help from TERENA TF Mobility.](https://reader034.fdocuments.in/reader034/viewer/2022050714/56649d2b5503460f949ffea9/html5/thumbnails/10.jpg)
10
Users want to roam between institutions TERENA TF Mobility: Roam within Europe’s NRENs
802.1X with RADIUS (AP-based)Access to VPN gateways (network-based)Web-based authentication (network-based)
Here: Bremen Approach (Wbone)
http://www.terena.nl/mobility
![Page 11: Wbone: WLAN Roaming Based on Deep Security Zagreb, May 22 nd, 2003 Carsten Bormann Niels Pollem with a lot of help from TERENA TF Mobility.](https://reader034.fdocuments.in/reader034/viewer/2022050714/56649d2b5503460f949ffea9/html5/thumbnails/11.jpg)
11
Roaming: High-level requirements
Objective:
Enable NREN users to use Internet (WLAN and wired) everywhere in Europe
with minimal administrative overhead (per roaming) with good usability maintaining required security for all partners
![Page 12: Wbone: WLAN Roaming Based on Deep Security Zagreb, May 22 nd, 2003 Carsten Bormann Niels Pollem with a lot of help from TERENA TF Mobility.](https://reader034.fdocuments.in/reader034/viewer/2022050714/56649d2b5503460f949ffea9/html5/thumbnails/12.jpg)
12
Minimize admin overhead Very little admin work to enable roaming per user
(preferably none)both for home network and even more so for visited network
No admin work required per roaming occurrence
Minimize the complexity of additional systems required (consider architecture at the involved institutions)must integrate with existing AAA systems, e.g., RADIUSno n2 work required when scaling system
No regulatory entanglement
![Page 13: Wbone: WLAN Roaming Based on Deep Security Zagreb, May 22 nd, 2003 Carsten Bormann Niels Pollem with a lot of help from TERENA TF Mobility.](https://reader034.fdocuments.in/reader034/viewer/2022050714/56649d2b5503460f949ffea9/html5/thumbnails/13.jpg)
13
Good usability
Available to most current WLAN (and wired) users standards-based; low-cost
No additional software required to enable roaming (software may be required for local use beforehand) consider both Laptop and PDA usage
Enable all work IPv4 and IPv6 Access to home institution networks Enable use of home addresses while roaming
Enable local work in visited network SLP, authorization issues/user classes?
![Page 14: Wbone: WLAN Roaming Based on Deep Security Zagreb, May 22 nd, 2003 Carsten Bormann Niels Pollem with a lot of help from TERENA TF Mobility.](https://reader034.fdocuments.in/reader034/viewer/2022050714/56649d2b5503460f949ffea9/html5/thumbnails/14.jpg)
14
Security requirements
Allow use only for approved [by who] NREN users Legal binding to some common terms of use
Provide accountability Nice to have: Provide reasonable basic (“like in wired access”) security
for individual user [cannot fulfill in all environments] Confidentiality of traffic
(not necessarily with respect to current position!)
Integrity/guard against data manipulation and session hijacking
Allow real security (e2e) on top (e.g., highlight the limitations of NATs)
Don’t aggravate security issues of visited networks
![Page 15: Wbone: WLAN Roaming Based on Deep Security Zagreb, May 22 nd, 2003 Carsten Bormann Niels Pollem with a lot of help from TERENA TF Mobility.](https://reader034.fdocuments.in/reader034/viewer/2022050714/56649d2b5503460f949ffea9/html5/thumbnails/15.jpg)
15
Security non-requirements
No need to “protect” WLAN ISM spectrum can’t be protected anyway
Hard to reliably conceal positioning information
![Page 16: Wbone: WLAN Roaming Based on Deep Security Zagreb, May 22 nd, 2003 Carsten Bormann Niels Pollem with a lot of help from TERENA TF Mobility.](https://reader034.fdocuments.in/reader034/viewer/2022050714/56649d2b5503460f949ffea9/html5/thumbnails/16.jpg)
16
Bremen:One State … Five Universities
Universität Bremen shared programs
Hochschule Bremen
Hochschule für Künste
Hochschule Bremerhaven
International University Bremen
![Page 17: Wbone: WLAN Roaming Based on Deep Security Zagreb, May 22 nd, 2003 Carsten Bormann Niels Pollem with a lot of help from TERENA TF Mobility.](https://reader034.fdocuments.in/reader034/viewer/2022050714/56649d2b5503460f949ffea9/html5/thumbnails/17.jpg)
17
Wbone: VPN-based solution(s)
Security (for 802.11): VPN-based (local) solutionwidely adopted in Germany interconnect requires routing, address space coordination
Bremen: create early user experienceby chance, different RFC 1918 networks used for docking networksso, simply connect them via state‘s backboneusers can connect to home gateway from any site
![Page 18: Wbone: WLAN Roaming Based on Deep Security Zagreb, May 22 nd, 2003 Carsten Bormann Niels Pollem with a lot of help from TERENA TF Mobility.](https://reader034.fdocuments.in/reader034/viewer/2022050714/56649d2b5503460f949ffea9/html5/thumbnails/18.jpg)
18
Intranet X
Dockingnetwork
Campus Network
G-WiN
VPN-Gateways
DHCP, DNS, free Web
Intranet X
Dockingnetwork
Campus Network
G-WiN
VPN-Gateways
DHCP, DNS, free Web
WboneG-WiN
Interconnect docking networks. Clients leave through home network/gateway.
![Page 19: Wbone: WLAN Roaming Based on Deep Security Zagreb, May 22 nd, 2003 Carsten Bormann Niels Pollem with a lot of help from TERENA TF Mobility.](https://reader034.fdocuments.in/reader034/viewer/2022050714/56649d2b5503460f949ffea9/html5/thumbnails/19.jpg)
19
Wboneinterconnecting docking networks
RBriteline
Uni Bremen172.21/16
HS Bremen172.25/16
HfK
HS Brhv.10.28.64/18
IPSec
Cisco
IPSec/PPTP/SSH
Linux
IPSec
Cisco
PPTP
Linux
IPSec
Cisco
PPTP
Linux
PPTP
Linux
PPTP
Linux
AWI
extend to other sites ...
![Page 20: Wbone: WLAN Roaming Based on Deep Security Zagreb, May 22 nd, 2003 Carsten Bormann Niels Pollem with a lot of help from TERENA TF Mobility.](https://reader034.fdocuments.in/reader034/viewer/2022050714/56649d2b5503460f949ffea9/html5/thumbnails/20.jpg)
20
daily!
Wbone:the user experience is there ... no need for users to change their configuration
that’s the way it’s supposed to bestaff and students can roam freely, 1800 registered
now, make it scaleaddress coordination, DNSOSPF, GRE, VRF
routable addresses vs. RFC 1918
![Page 21: Wbone: WLAN Roaming Based on Deep Security Zagreb, May 22 nd, 2003 Carsten Bormann Niels Pollem with a lot of help from TERENA TF Mobility.](https://reader034.fdocuments.in/reader034/viewer/2022050714/56649d2b5503460f949ffea9/html5/thumbnails/21.jpg)
21
Wbone:Moving to Europe Scale private address architecture to European level?
Do all this in public, routable address space instead!
Separate docking networks from controlled address space for gateways (CASG*)Docking networks allow packets out to and in from CASG
Need to add access control device (such as router with ACL)
Nicely solve the transit problem in the processe
*) née “relay network” (Ueli Kienholz)
![Page 22: Wbone: WLAN Roaming Based on Deep Security Zagreb, May 22 nd, 2003 Carsten Bormann Niels Pollem with a lot of help from TERENA TF Mobility.](https://reader034.fdocuments.in/reader034/viewer/2022050714/56649d2b5503460f949ffea9/html5/thumbnails/22.jpg)
22
Intranet X
Dockingnetwork
Campus NetworkG-WiN
VPN-Gateways
DHCP, DNS, free Web
Accesscontroller
Intranet X
Dockingnetwork
Campus NetworkG-WiN
VPN-Gateways
DHCP, DNS, free Web
Accesscontroller
Intranet X
Dockingnetwork
Campus NetworkG-WiN
VPN-Gateways
DHCP, DNS, free Web
Accesscontroller
The big bad
Internet
CASG
![Page 23: Wbone: WLAN Roaming Based on Deep Security Zagreb, May 22 nd, 2003 Carsten Bormann Niels Pollem with a lot of help from TERENA TF Mobility.](https://reader034.fdocuments.in/reader034/viewer/2022050714/56649d2b5503460f949ffea9/html5/thumbnails/23.jpg)
23
CASG allocation
Back-of-the-Envelope: 1 address per 10000 populationE.g., .CH gets ~600, Bremen gets ~60
Allocate to minimize routing fragmentationMay have to use some tunneling/forwarding
VPN gateway can have both local and CASG address
![Page 24: Wbone: WLAN Roaming Based on Deep Security Zagreb, May 22 nd, 2003 Carsten Bormann Niels Pollem with a lot of help from TERENA TF Mobility.](https://reader034.fdocuments.in/reader034/viewer/2022050714/56649d2b5503460f949ffea9/html5/thumbnails/24.jpg)
24
Interoperability?
Both Web and .1X can use RADIUS hierarchyVPN gateways can actually use it, too
VPN sites probably want to add Web-based filteringHelps Web and .1X users, if connected to RADIUS hierarchy
Web-based sites easily can add CASG accessBy using RADIUS hierarchy, .1X users are fine
.1X sites with Cisco 1200 can add “docking VLAN”CASG access and Web-based filtering to accommodate visitors
YESbut lo
ts of political problems
![Page 25: Wbone: WLAN Roaming Based on Deep Security Zagreb, May 22 nd, 2003 Carsten Bormann Niels Pollem with a lot of help from TERENA TF Mobility.](https://reader034.fdocuments.in/reader034/viewer/2022050714/56649d2b5503460f949ffea9/html5/thumbnails/25.jpg)
25
Political problem
It makes a lot of sense for an NREN to force one variantFictional examples: FI: All Web, NL: all .1X, DE: all VPN
Opening backdoors for other NRENs at the same time?may make you seem less convincing :-)
Let’s do the right thing™ anyway…