seamless – yet secure-hotspot roaming - cdma2000 · seamless – yet secure-hotspot roaming steve...
TRANSCRIPT
1
Seamless – Yet Secure - Hotspot Roaming
Steve ReyesProduct Management and Development
4501 Intelco Loop SEOlympia, WA 98507
[email protected] Wi-Fi Summit 2003
2
Vision: Mobile and Portable ComputingVision: Mobile and Portable Computing
Internet
AAAAAAServersServers
Billing/Billing/Customer CareCustomer Care
ServersServers
EnterpriseEnterprise
Public WLAN Public WLAN Service Service ProviderProvider
Legacy Legacy and Web and Web EnterprisEnterpris
e e ApplicatiApplicati
onsons
Public WLAN “HotSpot”Public WLAN “HotSpot”
xDSLxDSL/Cable Broadband user/Cable Broadband user
Small Manufacturing Site or Small Manufacturing Site or Branch OfficeBranch Office
T1/T3T1/T3 T1/T3T1/T3
Cable/DSLCable/DSL
Cable/DSLCable/DSL
T1T1
3
Market Forecasts Market Forecasts –– All Over the MapAll Over the Map
0
20,000
40,000
60,000
80,000
100,000
2002 2003 2004 2005 2006
#Hot
Spo
ts
IDC June 2002 Forecast Actual/Forecast as announced
Analysys Research Goldman Sachs
Pyramid
2 0 0 22 0 0 3
2 0 0 42 0 0 5
2 0 0 6
IDC
Hom
e
Syne
rgy
Hom
e ID
CEn
terp
rise
Syne
rgy
Ente
rpris
eID
C P
ublic
Acc
ess
$0.0$0.5$1.0$1.5$2.0$2.5$3.0$3.5$4.0
$ Billions
3
9.5
30
0
5
10
15
20
25
30$ Billio
ns
Analysys AlexanderResources
TeleAnalytics
2007 2006
5%
30%
10%
50%
“ConsensusView”
GoldmanSach
s
Low High
% Broadband Connections
U.S. Hotspots
Global PwLAN Service Revenues
U.S. Wi-Fi Penetration
Global Wi-Fi Equipment Sales
4
Key Market Inhibitors Key Market Inhibitors
There are two major barriers holding back significantly higher levels of Wi-Fiadoption.
Security Concerns
Enterprises have been slow to build out WLAN due to concerns over network security (e.g., unauthorized access)
Lack of standard roaming infrastructure
The lack of a broadly accessible “roaming” standards fosters “closed networks” and significantly reduces the value proposition to end users, hotspot operators and network service providers.
• Fewer enterprise deployments.
• Lower carryover of users into hotspots and homes.
• Economies of scale not realized
• End-user inconvenience lowers demand
11
22
5
Evolution Evolution
Phase IPhase I
ClosedClosed and and nonnon--securesecure
Phase II (2003)Phase II (2003)
ClosedClosed but but securesecure
Phase III (2005)Phase III (2005)
OpenOpen and and securesecure
TimeTime
TodayToday
Realizable Realizable Market Market
OpportunityOpportunity
6
Requirements of Major ConstituentsRequirements of Major Constituents
Unleash theOpportunity
WLAN InfrastructureVendors
! Need to solve WLAN security issues in order to grow market
EnterpriseCustomers
! ROI! Unwilling to deploy
until WLAN security properly addressed
! Require complete solution bundle for WLAN network design, portability and mobility
WLAN Service Providers! Broadband ISPs
looking for new revenue streams
! 3G Networks need to seed wireless data services usage
Consumers/SMB Customers
! Want to deploy low TCO LAN
! Want public WLAN roaming capabilities
7
The Security ConundrumThe Security Conundrum
! SSID association NOT a security mechanism– Sniffing possible (desirable)– OR limited interoperability
! MAC address control lists – not maintainable! Authorization – all or nothing problem! WEP (privacy control)
– Vulnerable– Key management headache
! VPN– Requires client software– Install/configuration effort– Expensive
8
The Security ConundrumThe Security Conundrum! Vendor security frameworks
– Proprietary– May impact interoperability– May limit choice of vendors
! Cisco’s LEAP– Mutual authentication of clients and AP’s– Per session WEP key for encryption
! Agere’s Advanced Mobile Security Architecture (AMSA)– RC4 per session encryption with Diffie Helman key exchange– Supports EAP-TLS with WEP encryption and key refresh
! Symbol– Based on Kerberos– Mutual authentication, end-to-end encryption– Per session dynamic key distribution
9
WebWeb--Based SecurityBased Security
! Browser-based authentication via username/password through encrypted browser window
! Typically employs Access Controller located between the wireless AP and internal LAN or Internet
! Best suited for “guest services”
! Vulnerable to session hijacking– Reasonable general access control– Not solid assurance of privacy
10
IPSecIPSec/VPN/VPN
! Place WLAN outside firewall
! Provide WLAN users VPN client
! Forces users through VPN concentrator
11
WWired ired EEquivalent quivalent PProtocolrotocol
! Standard configurable feature of most leading AP’s! Objective to ensure privacy by encrypting each 802.11
packet via RC4 cipher stream! Relies on pre-shared static keys (typically manually
configured)! Weaknesses:
– No key management specified– Keys too small (40 bits) and easily broken– Initialization Vector (IV) is too small and easily broken (sent in
the clear)– RC4 algorithm is weak
! WEP is bad, but better than nothing if keys are changed frequently
12
802.1X Security802.1X Security
! 802.1X Standard– Framework for “ providing compatible authentication &
authorization mechanisms for devices interconnected by 802.11 LANs”
! 802.1X Security Entities– Identifies 3 entities:
" Client (Supplicant)" Access Point (Authenticator)" Authentication Server (AS)
– AP-to-AS communication using EAPOL
13
Secure WLAN RoamingSecure WLAN Roaming
Internet Enterprise
Public WLAN “Hotspot”
Home network
Authentication ClearinghouseAS AS AS AS
Public WLAN Carrier/ISP routes all Authenticationrequests to Authentication Clearinghouse.
Clearinghouse opens outer EAP-TTLS tunneland pass-on Username/Password toEnterprise’s RADIUS Server; manages Accounting & Billing
14
CA Hierarchy CA Hierarchy
Wi-Fi CA
DeviceVendor #1
DeviceVendor #2
DeviceVendor #N
NIC/STASerial#1pqr...
NIC/STASerial#1stv...
APSerial#2xyz...
APSerial#2abc...
AAASerial#5cde...
AAASerial#5fgh...
WISPr CA
W -ISP #1 W -ISP #2 W -ISP #n
User#1-456 AP#1-678
PAC#1-765
User#2-456 AP#2-123 AAA
#2-897
User#n-123
User#n-456
Wi-FiRoot CA
15
Industry Trust ModelIndustry Trust Model
! PKI model ensures highest level of trust
! Digital certificates based
! Utilizes 802.1x/EAP-TLS
! Trusted Certificate Authority network
! Portable across home, enterprise and public venues
16
Wireless Carrier ParadigmWireless Carrier Paradigm
CellularCellularNetworkNetwork
MediationMediation
UsersprofileHLR
Apps.
Hot spotsHot spots Billing
3G Access3G AccessNetworksNetworks
RevenueRevenue
Service
s
Service
s
WLANsWLANs
17
Targeted ArchitectureTargeted Architecture
AAAAAAServersServers
Billing/Billing/Customer CareCustomer Care
ServersServers
Residential ISPResidential ISPWireless carrierWireless carrier
(Service Provider)(Service Provider)
xDSLxDSL/Cable Broadband user/Cable Broadband userWireless userWireless user
Cable/DSLCable/DSL T1T1
AAAAAAServersServers
Billing/Billing/Customer CareCustomer Care
ServersServers
Public WLAN Public WLAN “Hotspot” / WISP “Hotspot” / WISP
operationsoperations
Internet
Roaming userRoaming user
AAAAAAServersServers
Clearinghouse Clearinghouse (optional)(optional)
Direct exchangeDirect exchange
AAAAAAServersServers
Mobile carriersMobile carriers
SS7
GWGW
HLRHLR