Survey
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
CENG SP-FORM1 ÇANKAYA UNIVERSITY Computer Engineering Department CENG 407–408 Senior Project (Innovative System Design and Development) Proposal Form This form should be used for all CENG 407 – 408 Senior Project Proposals. A topic can be jointly proposed by faculty, company and/or student, signed by at least one of the partners. Part I. Project Proposer Names (supervisor, company, student) and organizations Part II. Mobile Supervisor: Company: Portakal Teknoloji (contact: Bora Güngören) Students: E-Mail [email protected] Signature Project Information, to be completed by the proposer (Faculty, Student and/or Company) Starting Term Title 2 0 1 6 / 2 0 1 7 ☒ Fall ▢ Spring SECURE DEDICATED MOBILE APN MANAGEMENT IN CLOUD (SEAPN-CANKAYA) Description (extra sheets can be added) The Problem Statement As the number of mobile devices in organizations increase, managing these mobile assets and providing services to their users increases the complexity of information systems. In particular, integrating services that are offered through mobile devices (smart phones, tablets) or collect information through such devices (sensor network nodes, industrial IoT devices, home automation tools, etc) becomes problematic because these devices are on separate networks. Security concerns are also present but often not addressed due to integration problems. In a practical situation, many devices will be using cellular network based internet connection (i.e. 3/4G) through different service providers (i.e. Turkcell, Vodafone, etc) and they will necessarily be connected to other assets (i.e. server based software) located in different locations (company data centers, co-location provider data centers, cloud service providers). This presents the following problem: Devices are not on the same network and the IP addresses of the mobile devices change all the time. Some solutions to this problem have been tested in the past: 1. Let the mobile devices notify servers about their new IP address. This requires a service to be installed on mobile devices. Developing this service and maintaining its compatibility with all the mobile device models is very problematic. Besides users are concerned about installing such a service. So this is not feasible for smart phones or tablets. 2. Let all the mobile devices have static IP addresses. This approach has an additional cost item. The static IP is rented monthly from the network operator (i.e. Turkcell). Also if the devices are from different networks their IP address blocks will not be in consecutive blocks (i.e. Turkcell and Vodafone connected devices will not have similar IP addresses) and this makes network management harder. Tthe ideal solution would enable the company network administrator to easily manage the IP addresses of the mobile devices. The usual, near-ideal solution for this is called a Dedicated Mobile Access Point Name (Mobile APN for short, see the resources.) In this solution, the network provider creates a virtual operator name that appears in the mobile devices for a company. Their IP addresses are either specified or managed through a common network service (usually RADIUS, but also Diameter). So a company can determine a devices IP address through its GSM network number (i.e. 533-1234567 is 88.224.22.67, and 533-1234568 is 88.224.22.68) but this works for a single mobile operator. The solution is not necessarily integrated for different operators and requires the company to set up a RADIUS server and a back-end database server (usually MySQL) The ideal solution would enable companies to manage Mobile APNs provided by multiple operators through their own infrastructure. The security aspect is usually handled simply to a degree using Virtual Private Networks (VPNs). For their operational simplicity and scalability telco operators suggest establishing an IPSEC VPN through a Hub-and-Spoke topology. In this topology, companies are assumed to have their VPN infrastructure set up at their headquarters or a data center (DC) of their choice (including cloud). This requires the companies to set up a firewall and a VPN concentrator. The VPN connection between the company DC and the telco is encrypted. Note that telco companies assume their clients’ trust so that the privacy of company traffic in telco network is assumed not to be compromised. Using these two partial solutions together enables a degree of security coupled with a degree of management. In particular the IP addresses of the managed mobile devices can now be set up in an internal IP address block (i.e. 192.168.2.2, 192.168.2.3) so that other software running in the data center can be used together. The problem with the status quo is that it is not easy to deploy, not easy to manage and usually not scalable. 1. Many companies actually need Mobile APNs but they do not have the IT staff to set up and maintain the above architecture. 2. IPSEC VPNs are relatively simple to establish but having a cost effective and scalable setup is not easy. This is in particular true when the VPN is managed by the company’s existing generic firewall. A cost effective way of establishing and managing a scalable VPN concentrator that is dedicated to Mobile APN use is required. 3. Companies cannot easily manage the IP address allocation for devices because they do not have an easy to use user interface for this task. Usually some non-technical department assigns the devices to employees and then requests the network administrators to set up Mobile APN settings for that particular device manually. In the worst cases it may take up to several weeks to enable a device to access the Mobile APN. Also discarding older or stolen devices becomes problematic. 4. Many companies do not have appropriate data centers and co-location providers charge significant amounts for under-utilized and small hardware such as firewalls and VPN concentrators. Also many companies set up RADIUS and MySQL servers in separate physical Version: July 2015 CENG SP-FORM1 machines and this increases costs for them. Giving up availability and scalability for lesser costs is the common but not necessarily wise decision. INTERNET Company FW TELCO FW VPN Concentrator VPN Concentrator TELCO RADIUS Server DEVICE (3G Network) Company RADIUS Server Company DB Server COMPANY SERVERS TELCO SERVERS Figure 1. Simple representation of IPSEC VPN and Mobile APN Management Telco FW/VPN Co. FW/ VPN Establish IPSEC VPN OK Mobile Device Request Connection Telco NAS Telco RADIUS Authenticate Device (GSM Number) Co. RADIUS Co. MySQL Authenticate Device (GSM Number) Query Result Authentication Success, Co. Local IP Address Co. Local IP Address Authentication Success, Co. Local IP Address Figure 2. Mobile Device Authentication Sequence Proposed Solution (SEAPN-CANKAYA) The proposed solution makes use of open source components to solve the problem with a good architecture, and a small but very high quality code base. 1. Open source firewalls (in particular Pfsense) can easily be set up in virtual machines and in clusters. They can also be used as VPN concentrators. 2. Open source RADIUS (and Diameter) server implementations can be virtualized and clustered easily. 3. MySQL clusters or MySQL-compatible DB clusters can be used to store configuration parameters. 4. OS and application virtualization enables a smart setup to have horizontal scalability for each component. Hence the solution will incorporate, 1. A managed cluster of Pfsense firewall instances configured for load balancing and high availability installed as virtual machines. These virtual machines will initially be created in Virtualbox environment but then be ported to AWS cloud through use of Vagrant. 2. A managed cluster of virtualized RADIUS (and Diameter) servers configured to get their configurations from a relational database. The virtualization shall be done through Docker which is the main (superstar) tool used by Google, IBM, Red Hat, and practically everyone else. The setup will be first tested on Virtualbox and then migrated towards AWS for further testing. 3. A managed cluster of MySQL servers configured to store RADIUS (and Diameter) configuration parameters as well as other data. The virtualizations shall be done through Docker and clustering done through Galera. The setup will be first tested on Virtualbox and then migrated towards AWS for further testing. 4. A web application that enables users and network administrators of companies to simply manage the IPSEC VPN and Mobile APN configuration parameters. This application can be developed using any open source toolset but for advanced security Java Server Faces (JSF) is preferred. JSF is actually very easy to learn because a UI-design driven development life cycle similar to PHP is supported. The Tomcat containers for this web application should also be clustered using Apache/Tomcat’s own capabilities and virtualized through Docker. Version: July 2015 CENG SP-FORM1 Application Virtualization FreeRADIUS Server (Cluster) FreeDiameter Server (Cluster) MySQL Server (Galera Cluster) Tomcat Server (Cluster) OS-Level Virtualization Pfsense Cluster Firewall/VPN Linux Virtual Machines Infrastructure Oracle Virtualbox Amazon (AWS) Figure 3. Degrees of Virtualization in SEAPN Telco RADIUS Co. RADIUS Staff Web UI Add Device (GSM Number, Class, Expiration, etc) DB Add Configuration OK Query OK Query OK, IP OK, IP Remove Device Update Configuration OK OK Query Query Not OK Not OK Figure 4. Adding and discarding devices from a Web UI in SEAPN Important Notes on Development Schedule and Methodology This is an intensive project but will give the students a unique opportunity to learn several skills (with very high demand) that will help them be ready for their professional life. Most of these skills are about tools (mobile APNs, clustering data bases, Docker virtualization, using AWS, development in JSF, etc.) but the most important of them all is to gain a modern, systematic, and open working style. The student team is required to 1. Have an open and transparent style. All work should be committed to an open access configuration management system (i.e. GitHub). Uncommitted work will be assumed non-existing. 2. Have weekly meetings starting immediately and continuing through final exams and semester breaks. Workload may be variable but there is no reason to skip meetings. 3. Document everything, but not necessarily as long and extremely detailed reports. Use of blogging, discussing designs through online project management software (i.e. Bitrix24) are also considered as documentation. However, documentation required by the university should also be prepared. 4. Testing is of essence. When designing and implementing even a small code block, how to test should be discussed. Unit tests may be required for some code segments and integration testing will be compulsory. Version: July 2015 5. CENG SP-FORM1 Use and contribute to other open source software when possible. Open source is a very good method of developing and testing software that may be used by a large number of users. As the target for this project includes many organizations, the student team will probably find many parts of their design already being implemented elsewhere under an open source project. When possible code re-use through open source repositories and contributions to those repositories is encouraged. Online resources for interested students [1] Mobile APN article on Wikipedia, https://en.wikipedia.org/wiki/Access_Point_Name [2] RADIUS protocol article on Wikipedia, https://en.wikipedia.org/wiki/RADIUS [3] Diameter protocol article on Wikipedia, https://en.wikipedia.org/wiki/Diameter_(protocol) [4] Short RADIUS vs. Diameter discussion in a Cisco data sheet, http://www.cisco.com/en/US/products/ps6638/products_data_sheet09186a00804fe332.html [5] IPSEC article on Wikipedia, https://en.wikipedia.org/wiki/IPsec [6] IPSEC WAN Design guide by Cisco, http://www.cisco.com/application/pdf/en/us/guest/netsol/ns171/c649/ccmigration_09186a008074f22f.pdf [7] Pfsense project home page, https://www.pfsense.org/ [8] Scalability article on Wikipedia, https://en.wikipedia.org/wiki/Scalability [9] Short Stackoverflow discussion about horizontal and vertical scalability in databases, http://stackoverflow.com/questions/11707879/differencebetween-scaling-horizontally-and-vertically-for-databases [10] Vagrant project web site, https://www.vagrantup.com/ [11] FreeRADIUS project web site, http://freeradius.org/ [12] FreeDiameter project web site, http://www.freediameter.net/trac [13] Docker project web site, https://www.docker.com/ [14] Stackoverflow discussion on how Docker differs from OS virtualization from a developer’s perspective, http://stackoverflow.com/questions/16047306/how-is-docker-different-from-a-normal-virtual-machine [15] Galera cluster web site, http://galeracluster.com/ [16] Tutorial on setting up a Galera MySQL cluster with Docker, http://www.severalnines.com/blog/how-deploy-galera-cluster-mysql-using-dockercontainers [17] Official HOW-TO on clustering Tomcat 8, http://tomcat.apache.org/tomcat-8.0-doc/cluster-howto.html [18] A very realistic tutorial on clustering Tomcat 8, https://www.mulesoft.com/tcat/tomcat-clustering Justification 1. Novelty 2. 3. 4. 1. 2. Complexity 3. 4. Constraints: economics, sustainability, environment, ethics, security, health, social and political issues, Risks involved Version: July 2015 1. 2. 3. 4. 1. 2. 3. The solution will be the first solution that allows companies to integrate IP address management in multiple operators (i.e. Turkcell and Vodafone and AVEA all together) The solution will support not only RADIUS but also Diameter. The solution will not be limited to using MySQL. Amazon RDS should also be supported. The application architecture is required to use both operating system and application virtualization. In particular AWS and Virtualbox will be used to virtualize OS instances and Vagrant will be used to manage their deployment. Docket/Kubernetes will be used to virtualize application servers and The project is about integrating many parts, managing complexity and hiding the complexity from the users, so the project itself is inherently complex. There is no chance that a not-so-complex alternative be developed. Virtualization of services through containers (in particular Docker) requires a higher degree of understanding of software architecture. Use of COTS components for IPSEC, RADIUS, Diameter, MySQL, etc. has its advantages but also brings additional requirements about integration. This project is network intensive. To debug some possible errors, use of network tools (in particular traffic monitoring) will be required. The solution is required to be secure. Therefore support for IPSEC VPN is a must. The solution is required to be not tied in to a specific cloud platform. So migration from Amazon to another cloud service provider (i.e. IBM, Digital Ocean, etc) should be supported. The solution is required to be not tied in to a specific telco operator. So supporting only Turkcell but not AVEA is not acceptable. The license for the produced code will be Apache, and all required components (i.e. APIs, libraries, services) should be chosen as open source. The project requires an early start. Delays will increase risks considerably. The project require some knowledge about networking, and more should be learnt on the way. The project assumes some knowledge about Linux and virtualization, gaps in this area should be filled early in the project.