Download Part II. Project Information, to be completed by the proposer (Faculty

Survey
yes no Was this document useful for you?
   Thank you for your participation!

* Your assessment is very important for improving the work of artificial intelligence, which forms the content of this project

Document related concepts
no text concepts found
Transcript
CENG SP-FORM1
ÇANKAYA UNIVERSITY
Computer Engineering Department
CENG 407–408 Senior Project (Innovative System Design and
Development) Proposal Form
This form should be used for all CENG 407 – 408 Senior Project Proposals. A topic can be jointly proposed by faculty, company and/or student,
signed by at least one of the partners.
Part I.
Project Proposer
Names (supervisor,
company, student)
and organizations
Part II.
Mobile
Supervisor:
Company:
Portakal Teknoloji
(contact: Bora Güngören)
Students:
E-Mail
[email protected]
Signature
Project Information, to be completed by the proposer (Faculty, Student and/or Company)
Starting Term
Title
2
0
1
6
/
2
0
1
7
☒ Fall
▢ Spring
SECURE DEDICATED MOBILE APN MANAGEMENT IN CLOUD (SEAPN-CANKAYA)
Description (extra sheets can be added)
The Problem Statement
As the number of mobile devices in organizations increase, managing these mobile assets and providing services to their users increases the
complexity of information systems. In particular, integrating services that are offered through mobile devices (smart phones, tablets) or collect
information through such devices (sensor network nodes, industrial IoT devices, home automation tools, etc) becomes problematic because these
devices are on separate networks. Security concerns are also present but often not addressed due to integration problems.
In a practical situation, many devices will be using cellular network based internet connection (i.e. 3/4G) through different service providers (i.e.
Turkcell, Vodafone, etc) and they will necessarily be connected to other assets (i.e. server based software) located in different locations (company
data centers, co-location provider data centers, cloud service providers). This presents the following problem: Devices are not on the same network
and the IP addresses of the mobile devices change all the time.
Some solutions to this problem have been tested in the past:
1. Let the mobile devices notify servers about their new IP address. This requires a service to be installed on mobile devices. Developing this
service and maintaining its compatibility with all the mobile device models is very problematic. Besides users are concerned about
installing such a service. So this is not feasible for smart phones or tablets.
2. Let all the mobile devices have static IP addresses. This approach has an additional cost item. The static IP is rented monthly from the
network operator (i.e. Turkcell). Also if the devices are from different networks their IP address blocks will not be in consecutive blocks (i.e.
Turkcell and Vodafone connected devices will not have similar IP addresses) and this makes network management harder.
Tthe ideal solution would enable the company network administrator to easily manage the IP addresses of the mobile devices.
The usual, near-ideal solution for this is called a Dedicated Mobile Access Point Name (Mobile APN for short, see the resources.) In this solution,
the network provider creates a virtual operator name that appears in the mobile devices for a company. Their IP addresses are either specified or
managed through a common network service (usually RADIUS, but also Diameter). So a company can determine a devices IP address through its
GSM network number (i.e. 533-1234567 is 88.224.22.67, and 533-1234568 is 88.224.22.68) but this works for a single mobile operator. The
solution is not necessarily integrated for different operators and requires the company to set up a RADIUS server and a back-end database server
(usually MySQL)
The ideal solution would enable companies to manage Mobile APNs provided by multiple operators through their own infrastructure.
The security aspect is usually handled simply to a degree using Virtual Private Networks (VPNs). For their operational simplicity and scalability
telco operators suggest establishing an IPSEC VPN through a Hub-and-Spoke topology. In this topology, companies are assumed to have their VPN
infrastructure set up at their headquarters or a data center (DC) of their choice (including cloud). This requires the companies to set up a firewall and
a VPN concentrator. The VPN connection between the company DC and the telco is encrypted. Note that telco companies assume their clients’ trust
so that the privacy of company traffic in telco network is assumed not to be compromised.
Using these two partial solutions together enables a degree of security coupled with a degree of management. In particular the IP addresses of the
managed mobile devices can now be set up in an internal IP address block (i.e. 192.168.2.2, 192.168.2.3) so that other software running in the data
center can be used together.
The problem with the status quo is that it is not easy to deploy, not easy to manage and usually not scalable.
1. Many companies actually need Mobile APNs but they do not have the IT staff to set up and maintain the above architecture.
2. IPSEC VPNs are relatively simple to establish but having a cost effective and scalable setup is not easy. This is in particular true when the
VPN is managed by the company’s existing generic firewall. A cost effective way of establishing and managing a scalable VPN
concentrator that is dedicated to Mobile APN use is required.
3. Companies cannot easily manage the IP address allocation for devices because they do not have an easy to use user interface for this
task. Usually some non-technical department assigns the devices to employees and then requests the network administrators to set up
Mobile APN settings for that particular device manually. In the worst cases it may take up to several weeks to enable a device to access
the Mobile APN. Also discarding older or stolen devices becomes problematic.
4. Many companies do not have appropriate data centers and co-location providers charge significant amounts for under-utilized and small
hardware such as firewalls and VPN concentrators. Also many companies set up RADIUS and MySQL servers in separate physical
Version: July 2015
CENG SP-FORM1
machines and this increases costs for them. Giving up availability and scalability for lesser costs is the common but not necessarily wise
decision.
INTERNET
Company FW
TELCO FW
VPN Concentrator
VPN Concentrator
TELCO RADIUS Server DEVICE (3G Network)
Company RADIUS Server Company DB Server
COMPANY SERVERS
TELCO SERVERS
Figure 1. Simple representation of IPSEC VPN and Mobile APN Management
Telco
FW/VPN
Co. FW/
VPN
Establish IPSEC VPN
OK
Mobile
Device
Request Connection
Telco
NAS
Telco
RADIUS
Authenticate
Device
(GSM Number)
Co.
RADIUS
Co.
MySQL
Authenticate
Device
(GSM Number)
Query
Result
Authentication Success, Co. Local IP Address
Co. Local IP Address
Authentication Success,
Co. Local IP Address
Figure 2. Mobile Device Authentication Sequence
Proposed Solution (SEAPN-CANKAYA)
The proposed solution makes use of open source components to solve the problem with a good architecture, and a small but very high quality code
base.
1. Open source firewalls (in particular Pfsense) can easily be set up in virtual machines and in clusters. They can also be used as VPN
concentrators.
2. Open source RADIUS (and Diameter) server implementations can be virtualized and clustered easily.
3. MySQL clusters or MySQL-compatible DB clusters can be used to store configuration parameters.
4. OS and application virtualization enables a smart setup to have horizontal scalability for each component.
Hence the solution will incorporate,
1. A managed cluster of Pfsense firewall instances configured for load balancing and high availability installed as virtual machines. These
virtual machines will initially be created in Virtualbox environment but then be ported to AWS cloud through use of Vagrant.
2. A managed cluster of virtualized RADIUS (and Diameter) servers configured to get their configurations from a relational database. The
virtualization shall be done through Docker which is the main (superstar) tool used by Google, IBM, Red Hat, and practically everyone
else. The setup will be first tested on Virtualbox and then migrated towards AWS for further testing.
3. A managed cluster of MySQL servers configured to store RADIUS (and Diameter) configuration parameters as well as other data. The
virtualizations shall be done through Docker and clustering done through Galera. The setup will be first tested on Virtualbox and then
migrated towards AWS for further testing.
4. A web application that enables users and network administrators of companies to simply manage the IPSEC VPN and Mobile APN
configuration parameters. This application can be developed using any open source toolset but for advanced security Java Server Faces
(JSF) is preferred. JSF is actually very easy to learn because a UI-design driven development life cycle similar to PHP is supported. The
Tomcat containers for this web application should also be clustered using Apache/Tomcat’s own capabilities and virtualized through
Docker.
Version: July 2015
CENG SP-FORM1
Application
Virtualization
FreeRADIUS
Server (Cluster)
FreeDiameter
Server (Cluster)
MySQL Server
(Galera Cluster)
Tomcat Server
(Cluster)
OS-Level
Virtualization
Pfsense Cluster
Firewall/VPN
Linux Virtual Machines
Infrastructure
Oracle
Virtualbox
Amazon (AWS)
Figure 3. Degrees of Virtualization in SEAPN
Telco
RADIUS
Co.
RADIUS
Staff
Web UI
Add Device
(GSM Number,
Class, Expiration, etc)
DB
Add Configuration
OK
Query
OK
Query
OK, IP
OK, IP
Remove Device
Update
Configuration
OK
OK
Query
Query
Not OK
Not OK
Figure 4. Adding and discarding devices from a Web UI in SEAPN
Important Notes on Development Schedule and Methodology
This is an intensive project but will give the students a unique opportunity to learn several skills (with very high demand) that will help them be ready
for their professional life. Most of these skills are about tools (mobile APNs, clustering data bases, Docker virtualization, using AWS, development in
JSF, etc.) but the most important of them all is to gain a modern, systematic, and open working style.
The student team is required to
1. Have an open and transparent style. All work should be committed to an open access configuration management system (i.e. GitHub).
Uncommitted work will be assumed non-existing.
2. Have weekly meetings starting immediately and continuing through final exams and semester breaks. Workload may be variable but there
is no reason to skip meetings.
3. Document everything, but not necessarily as long and extremely detailed reports. Use of blogging, discussing designs through online
project management software (i.e. Bitrix24) are also considered as documentation. However, documentation required by the university
should also be prepared.
4. Testing is of essence. When designing and implementing even a small code block, how to test should be discussed. Unit tests may be
required for some code segments and integration testing will be compulsory.
Version: July 2015
5.
CENG SP-FORM1
Use and contribute to other open source software when possible. Open source is a very good method of developing and testing software
that may be used by a large number of users. As the target for this project includes many organizations, the student team will probably
find many parts of their design already being implemented elsewhere under an open source project. When possible code re-use through
open source repositories and contributions to those repositories is encouraged.
Online resources for interested students
[1] Mobile APN article on Wikipedia, https://en.wikipedia.org/wiki/Access_Point_Name
[2] RADIUS protocol article on Wikipedia, https://en.wikipedia.org/wiki/RADIUS
[3] Diameter protocol article on Wikipedia, https://en.wikipedia.org/wiki/Diameter_(protocol)
[4] Short RADIUS vs. Diameter discussion in a Cisco data sheet,
http://www.cisco.com/en/US/products/ps6638/products_data_sheet09186a00804fe332.html
[5] IPSEC article on Wikipedia, https://en.wikipedia.org/wiki/IPsec
[6] IPSEC WAN Design guide by Cisco, http://www.cisco.com/application/pdf/en/us/guest/netsol/ns171/c649/ccmigration_09186a008074f22f.pdf
[7] Pfsense project home page, https://www.pfsense.org/
[8] Scalability article on Wikipedia, https://en.wikipedia.org/wiki/Scalability
[9] Short Stackoverflow discussion about horizontal and vertical scalability in databases, http://stackoverflow.com/questions/11707879/differencebetween-scaling-horizontally-and-vertically-for-databases
[10] Vagrant project web site, https://www.vagrantup.com/
[11] FreeRADIUS project web site, http://freeradius.org/
[12] FreeDiameter project web site, http://www.freediameter.net/trac
[13] Docker project web site, https://www.docker.com/
[14] Stackoverflow discussion on how Docker differs from OS virtualization from a developer’s perspective,
http://stackoverflow.com/questions/16047306/how-is-docker-different-from-a-normal-virtual-machine
[15] Galera cluster web site, http://galeracluster.com/
[16] Tutorial on setting up a Galera MySQL cluster with Docker, http://www.severalnines.com/blog/how-deploy-galera-cluster-mysql-using-dockercontainers
[17] Official HOW-TO on clustering Tomcat 8, http://tomcat.apache.org/tomcat-8.0-doc/cluster-howto.html
[18] A very realistic tutorial on clustering Tomcat 8, https://www.mulesoft.com/tcat/tomcat-clustering
Justification
1.
Novelty
2.
3.
4.
1.
2.
Complexity
3.
4.
Constraints:
economics,
sustainability,
environment, ethics,
security, health, social
and political issues,
Risks involved
Version: July 2015
1.
2.
3.
4.
1.
2.
3.
The solution will be the first solution that allows companies to integrate IP address management in multiple
operators (i.e. Turkcell and Vodafone and AVEA all together)
The solution will support not only RADIUS but also Diameter.
The solution will not be limited to using MySQL. Amazon RDS should also be supported.
The application architecture is required to use both operating system and application virtualization. In particular
AWS and Virtualbox will be used to virtualize OS instances and Vagrant will be used to manage their
deployment. Docket/Kubernetes will be used to virtualize application servers and
The project is about integrating many parts, managing complexity and hiding the complexity from the users, so
the project itself is inherently complex. There is no chance that a not-so-complex alternative be developed.
Virtualization of services through containers (in particular Docker) requires a higher degree of understanding of
software architecture.
Use of COTS components for IPSEC, RADIUS, Diameter, MySQL, etc. has its advantages but also brings
additional requirements about integration.
This project is network intensive. To debug some possible errors, use of network tools (in particular traffic
monitoring) will be required.
The solution is required to be secure. Therefore support for IPSEC VPN is a must.
The solution is required to be not tied in to a specific cloud platform. So migration from Amazon to another
cloud service provider (i.e. IBM, Digital Ocean, etc) should be supported.
The solution is required to be not tied in to a specific telco operator. So supporting only Turkcell but not AVEA
is not acceptable.
The license for the produced code will be Apache, and all required components (i.e. APIs, libraries, services)
should be chosen as open source.
The project requires an early start. Delays will increase risks considerably.
The project require some knowledge about networking, and more should be learnt on the way.
The project assumes some knowledge about Linux and virtualization, gaps in this area should be filled early in
the project.