Download Before You Begin: Assign Information Classification

Survey
yes no Was this document useful for you?
   Thank you for your participation!

* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project

Document related concepts

Remote Desktop Services wikipedia , lookup

Deep packet inspection wikipedia , lookup

Cracking of wireless networks wikipedia , lookup

Spanning Tree Protocol wikipedia , lookup

Piggybacking (Internet access) wikipedia , lookup

Wireless security wikipedia , lookup

Extensible Authentication Protocol wikipedia , lookup

Virtual LAN wikipedia , lookup

Cisco Systems wikipedia , lookup

Transcript
eduroam
Klaas Wierenga
Security SEVT, August 25, 2009
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
1
The goal of eduroam
 “open your laptop and be online”
• To build an interoperable, scalable and secure
authentication infrastructure that will be used all
over the world enabling seamless sharing of
network resources
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
2
Requirements
 Identify users uniquely at the edge of the network
No session hijacking
Preserving privacy
 Enable guest usage
 Scalable
Local user administration and authentication
 Easy to install and use
At the most one-time installation by the user
 Secure
 Open
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
3
Evaluated in TERENA TF-Mobility
Standard solutions provided by AP’s:
 Open access: scalable, not secure
 MAC-addres : not scalable, not secure
 WEP
: not scalable, not secure
Alternative solutions:
 Web-gateway+RADIUS (captive portal)
 VPN-gateway
 802.1X+RADIUS
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
4
Open network + web gateway
 Open (limited) network, gateway between (W)LAN and de rest of
the network intercepts all traffic (session intercept)
 Can use a RADIUS backend to verify user credentials
 Guest use easy
 Browser necessary (but ubiquitous)
 Hard to maintain accountability
Session hijacking
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
5
Open network + VPN Gateway
 Open (limited) network, client must authenticate on a VPNconcentrator to get to rest of the network
 Client software needed
 Proprietary
 Hard to scale
 VPN-concentrators are expensive
 Guest use hard (sometimes VPN in VPN)
 All traffic encrypted
 NB: this is about VPN for network access, not for confidentiality!
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
6
IEEE 802.1X
 True port based access solution (Layer 2) between client and AP/switch
Association between layer 2 and layer 3 address needed
 Several available authentication-mechanisms through the use of EAP
(Extensible Authentication Protocol)
 Standardised
 Also encrypts all data, using dynamic keys, at the wireless path
 RADIUS back-end:
Scalable
Re-use existing trust relationships
 Easy integration with dynamic VLAN assignment (802.1Q)
 Client software necessary (OS-built in or third-party)
 Future proof (WPA, WPA2/802.11i)
 For wireless and wired
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
7
eduroam architecture
 Secure access based on 802.1X (WPA, WPA2)
Protection of credentials
Different authentication mechanisms possible by using EAP (Extensible
Authentication prototcol)
Username/password
X.509 certificates
SIM-cards
Integration with dynamic VLAN assignment (802.1Q)
 Roaming based on RADIUS proxying
Remote Authentication Dial In User Service
Transport-protocol for authentication information
 Trust fabric based on:
Technical: RADIUS hierarchy
Policy: Documents/contracts that define the responsibilities of user,
institution, NREN and the eduroam federation
 AuthN by home institution, AuthZ by visited institution
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
8
Secure access to the network with
802.1X
Supplicant
Authenticator
RADIUS server
(AP or switch)
University A
User
DB
[email protected]_a.nl
Internet
Commercial
VLAN
Employee
VLAN
Student
VLAN
• 802.1X
• (VLAN assigment)
Source: SURFnet
signaling
data
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
9
eduroam
Supplicant
Authenticator
RADIUS server
(AP or switch)
RADIUS server
User
DB
University A
University B
User
DB
SURFnet
Guest
pete@university_b.ac.
uk
Commercial
VLAN
Employee
VLAN
Student
VLAN
Proxy server
•
Trust based on RADIUS plus policy
documents
•
802.1X
•
EAP for mutual authentication and privacy
protection
•
(VLAN assigment)
signalling
data
Central RADIUS
Source: SURFnet
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
10
Tunneled authentication
Tue Oct 10 00:05:15 2006: DEBUG: Packet dump:
*** Received from 145.99.133.194 port 1025 ....
Code:
Access-Request
Identifier: 1
Authentic:
k<145><206><152><185><0><0><0><249><26><0><0><208>D<1><16>
Attributes:
User-Name = "[email protected]"
NAS-IP-Address = 145.99.133.194
Called-Station-Id = "001217d45bc7"
Calling-Station-Id = "0012f0906ccb"
NAS-Identifier = "001217d45bc7"
NAS-Port = 55
Framed-MTU = 1400
NAS-Port-Type = Wireless-IEEE-802-11
EAP-Message = <2><0><0><1>[email protected]
Message-Authenticator = <27>`y<208><232><252><177>.<160><230><177>I<218
><243>\
RADIUS@visited
Tue Oct 10 00:17:32 2006: DEBUG: Handling request with Handler 'TunnelledByTTLS=
1, Realm=/guest.showcase.surfnet.nl/i'
Tue Oct 10 00:17:32 2006: DEBUG: Deleting session for [email protected]
case.surfnet.nl, 145.99.133.194,
Tue Oct 10 00:17:32 2006: DEBUG: Handling with Radius::AuthFILE: SC-GUEST-ID
Tue Oct 10 00:17:32 2006: DEBUG: Reading users file /etc/radiator/db/showcase-gu
est-users
Tue Oct 10 00:17:32 2006: DEBUG: Radius::AuthFILE looks for match with Klaas.Wie
[email protected] [[email protected]]
Tue Oct 10 00:17:32 2006: DEBUG: Radius::AuthFILE ACCEPT: :
Klaas.Wierenga@guest
.showcase.surfnet.nl [[email protected]]
Tue Oct 10 00:17:32 2006: DEBUG: AuthBy FILE result: ACCEPT,
Tue Oct 10 00:17:32 2006: DEBUG: Access accepted for
[email protected]
se.surfnet.nl
Tue Oct 10 00:17:32 2006: DEBUG: Returned TTLS tunnelled Diameter Packet dump:
Code:
Access-Accept
RADIUS + TLS Channel(s)
RADIUS@home
eduroam hierarchy
Access Point
Id Repository
• EAP-tunnel terminates @home!
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
11
eduroam hierarchy
(virtual) eduroam root
European root
APAN root
.nl
.ac.uk
...
.dk
.
...
(America’s root)
.au
.edu
...
...
.cn
.ca
.pt
...
.es
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
12
eduroam status
 Canada member since June 2008
 > 600 Service Providers
 Trials in Latin-America, US
 Approx. 10 million users
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
13
Spin-off: RadSec
 Eduroam problems:
Dead peer discovery
Fragmentation
Managing shared secret/IP-address based trust
Static hierarchy
DIAMETER not available
 RADIUS with:
TLS
TCP
 draft-ietf-radext-radsec-02.txt, draft-dekok-radext-tcp-transport01.txt
 implementations in Radiator, FreeRADIUS (in progress),
RadSecProxy and OpenWRT and Lancom AP’s
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
14
Cisco & eduroam
• > 80% WLAN deployments is Cisco
• < 1% RADIUS deployments is Cisco
– FreeRADIUS, Radiator dominant
– No TTLS support, Proxy issues
• < 5% Supplicants is Cisco
– SecureW2, Xsupplicant, Intel client dominant
– Free supplicants
• > 80% EAP-TTLS
– ~ 10% PEAP
– EAP-FAST too new, no perceived high benefit
• Working with Joe Salowey, Nancy Cam-Winget to introduce
EAP-FAST in eduroam
• Working with Joe, Nancy and Hao Zhou in IETF emu and
radext WG’s on RadSec and tunnel bindings
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
15
More info
 Whitepaper (EDCS-771033):
http://wwwin-eng.cisco.com/Eng/CTO/Security/eduroam.doc
 Website:
http://www.eduroam.org
 eduroam cookbook:
http://www.eduroam.org/downloads/docs/GN2-08-230-DJ5.1.5.3eduroamCookbook.pdf
 TERENA task force on Mobility
http://www.terena.org/activities/tf-mobility/
Presentation_ID
© 2006 Cisco Systems, Inc. All rights reserved.
Cisco Confidential
16