Transcript casg-in
WLAN Roaming for the European Scientific Community: Lessons Learned Rodo, June 9th, 2004 Carsten Bormann <[email protected]> Niels Pollem <[email protected]> reporting on the work of TERENA TF Mobility http://www.terena.nl/mobility/ Outline WLAN access control and security How does inter-domain roaming work Roaming on a European scale How to integrate solutions at the site level Conclusion 2 WLAN Security: Requirements Confidentiality (Privacy): Nobody can understand foreign traffic Insider attacks as likely as outsiders' Accountability: We can find out who did something Prerequisite: Authentication 3 (2003:) Security is rarely easy 4 (2004:) solved 5 (2004:) or maybe not? 6 WLAN Security: Approaches AP-based Security: AP is network boundary WEP (broken), WEP fixes, WPA, … 802.1X (EAP variants + RADIUS) + 802.11i Network based Security: deep security VPNs needed by mobile people anyway SSH, PPTP, IPsec Alternative: Web-diverter (temporary MAC/IP address filtering) No confidentiality at all, though 7 Routers .1X world Access network Campus network Intranet X RADIUS Server(s) 8 WLAN Access Control: Why 802.1X is better 802.1X is taking over the world anyway The EAP/XYZ people are finally getting it right Only 5 more revisions before XYZ wins wide vendor support Available for more and more systems (Windows 2000 up) Distribute hard crypto work to zillions of access points Block them as early as possible More control to visited site admin, too! Most of all: It just works™ 9 VPN-Gateways VPN world Docking network Campus network Intranet X DHCP, DNS, free Web 10 WLAN Access Control: Why VPN is better Historically, more reason to trust L3 security than L2 IPSec has lots of security analysis behind it Can use cheap/dumb APs Available for just about everything (Windows 98, PDA etc.) Easy to accommodate multiple security contexts Even with pre-2003 infrastructure Data is secure in the air and up to VPN gateway Most of all: It just works™ 11 Access Control Device Docking network Web world Campus network Intranet X DHCP, DNS, free Web 12 WLAN Access Control: Why Web-based filtering is better No client software needed (everybody has a browser) Ties right into existing user/password schemes Can be made to work easily for guest users It’s what the hotspots use, so guest users will know it already May be able to tie in with Greenspot etc. Privacy isn’t that important anyway (use TLS and SSH) Accountability isn’t that important anyway Most of all: It just works™ 13 From Access Control to Roaming Roaming: High-level requirements Objective: Enable NREN users to use Internet (WLAN and wired) everywhere in Europe with minimal administrative overhead (per roaming) with good usability maintaining required security for all partners 15 Inter-domain 802.1X Supplicant Authenticator (AP or switch) Visited RADIUS server Institution A Guest RADIUS server User DB Institution B User DB Internet piet@institution_b.nl Employee VLAN Home Guest VLAN Student VLAN Central RADIUS Proxy server e.g., @NREN 16 Web-based with RADIUS 17 VPN VPN-Gateways Docking network G-WiN Wbone – VPN roaming solution to 4 universities / colleges in state of Bremen. SWITCHmobile – VPN solution deployed at 14+ universities and other sites across Switzerland. Campus Network Intranet X DHCP, DNS, free Web VPN-Gateways Docking network G-WiN Campus Network Intranet X Clients enter the Internet through home DHCP, DNS, network/gateway. free Web 18 IPSec extend to other sites ... Wbone interconnecting docking networks PPTP Linux Cisco HS Brhv. 10.28.64/18 HfK PPTP IPSec/PPTP/SSH Linux Linux R Briteline HS Bremen Uni Bremen 172.25/16 IPSec Cisco AWI IPSec PPTP Cisco Linux 172.21/16 PPTP Linux 19 Making roaming work on a European scale European RADIUS hierarchy UNI-C FUNET SURFnet UKERNA DFN CESnet FCCN CARnet GRnet RADIUS Proxy servers connecting to a European level RADIUS proxy server RedIRIS 21 The CASG Separate docking networks from inetnum: netname: descr: descr: descr: country: admin-c: tech-c: tech-c: status: mnt-by: changed: source: 193.174.167.0 - 193.174.167.255 CASG-DFN DFN-Verein Stresemannstrasse 78 10963 Berlin DE MW238 JR433 KL565 ASSIGNED PA DFN-LIR-MNT [email protected] 20040603 RIPE controlled address space for gateways (CASG) Hosts on docking networks can freely interchange packets with hosts in the CASG Easy to accomplish with a couple of ACLs All VPN gateways get an additional CASG address Hmm, problem with some Cisco concentrators 22 VPN-Gateways Docking network Access controller G-WiN Campus Network Intranet X DHCP, DNS, free Web VPN-Gateways Docking network Access controller The big CASG bad Internet G-WiN Campus Network VPN-Gateways Access controller Intranet X DHCP, DNS, free Web Docking network G-WiN Campus Network Intranet X DHCP, DNS, free Web 23 CASG allocation Back-of-the-Envelope: 1 address per 10000 population E.g., .CH gets ~600, Bremen gets ~60 Allocate to minimize routing fragmentation May have to use some tunneling/forwarding VPN gateway can have both local and CASG address 24 The CASG Pledge I will gladly accept any packet There is no such thing as a security incident on the CASG I will not put useful things in the CASG People should not be motivated to go there except to authenticate or use authenticated services I will help manage the prefix space to remain stable 25 How to integrate all these at the site level? Commonalities 802.1X Secure SSID RADIUS Web-based captive portal Open SSID RADIUS VPN-based Open SSID No RADIUS } RADIUS backend } Docking net (open SSID) 27 How can I help... as a home institution Implement the other backend: As a RADIUS-based site Implement a CASG VPN gateway (or subscribe to an NREN one) Provide the right RADIUS for all frontends As a VPN site Run a RADIUS server Help the users try and debug their roaming setup while at home (play visited site) 28 How can I help... as a visited institution Implement the other frontend: As a docking network site Implement the other docking appraoch: CASG access or Web-diverter Implement a 802.1X SSID (“eduroam”) in addition to open SSID As an 802.1X site Implement an open SSID with CASG access and Web-diverter Your local users will like it, too Maybe too much… 29 Network layout with multiple SSID’s and VLAN assignment 30 Network layout without multiple SSID’s and VLAN assignment 31 Doing the plumbing Default router in docking net Default route points to access control device: ip route 0.0.0.0 0.0.0.0 172.21.3.11 CASG routes point to CASG router ip route 193.174.167.0 255.255.255.0 172.21.3.250 33 CASG router ip access-list extended casg-out permit ip 193.174.167.0 0.0.0.255 any deny ip any any ip access-list extended casg-in permit ip any 193.174.167.0 0.0.0.255 deny ip any any interface Vlan86 ip address 172.21.3.250 255.255.0.0 ip access-group casg-in in ip access-group casg-out out ip nat inside 34 What if docking net is RFC1918? Maximum compatibility with an address-based NAT: ip access-list standard docking-addr permit 172.21.0.0 0.0.255.255 ! ip nat translation timeout 1800 ip nat pool dn 134.102.216.1 134.102.216.250 netmask 255.255.255.0 ip nat inside source list docking-addr pool dn 35 So where are we? Fun little issues 1/3 of Bremen‘s 432 Cisco 340 APs can't do VLANs Ethernet interface hardware MTU issue Some client WLAN drivers are erratic in the presence of multi-SSID APs Can't give university IP addresses to roamers Too many university-only services are “authenticated” on IP address Address pool must be big enough for flash crowds CASG space is currently allocated on a national level So there will be a dozen updates before CASG is stable 37 Conclusions It is possible to create a fully interoperable solution It’s not that hard: especially when you use TF mobility’s deliverable H to guide you Re-evaluate solutions in a couple of years TF mobility is going for a second term to help Integration approach also provides an easy upgrade path E.g., add 802.1X to docking-only site 38 Conclusions It is possible to create a fully interoperable solution It’s not that hard especially when you use TF mobility’s deliverable H to guide you Re-evaluate solutions in a couple of years TF mobility is going for a second term to help Integration approach also provides an easy upgrade path E.g., add 802.1X to docking-only site 39