Supporting A Supporting A Laptop Laptop

EnvironmentEnvironment Erick Engelke

Faculty of Engineering

University of Waterloo

erick@uwaterloo.cahttp://www.eng/~erick/presentations/wirelessCanHEIT.htm

Initial RequirementsInitial Requirements

check client identity check client identity userid/password to authenticate, authorize userid/password to authenticate, authorize

and log usageand log usage password verification (Active Directory)password verification (Active Directory) many similar solutions available (now)many similar solutions available (now)

uncertain of other needs at that timeuncertain of other needs at that time

Network Authentication Network Authentication ApplianceAppliance

homegrown box (FreeBSD) to:homegrown box (FreeBSD) to: authenticate against either of 2 Active authenticate against either of 2 Active

DirectoriesDirectories authorize accessauthorize access log usagelog usage act as router/firewallact as router/firewall

ObservationsObservations

laptops outsell desktopslaptops outsell desktops

expect continued growth of laptop usageexpect continued growth of laptop usage

new learning opportunities with laptops, new learning opportunities with laptops, but also new challenges for staffbut also new challenges for staff

chasing security and bandwidth issues is chasing security and bandwidth issues is time-consuming for stafftime-consuming for staff

Part 1Part 1

Bandwidth Bandwidth ManagementManagement

(thanks to Bruce Campbell)(thanks to Bruce Campbell)

Bandwidth ProblemBandwidth Problem

laptops consistently became highest laptops consistently became highest bandwidth consumersbandwidth consumers

chasing people for bandwidth usage is chasing people for bandwidth usage is time consumingtime consuming

is it possible to classify bandwidth as is it possible to classify bandwidth as good/academic versus evil or good/academic versus evil or recreational?recreational?

Good Versus BadGood Versus Bad

are their good and bad protocols?are their good and bad protocols? KAZAA, SKYPE are bad!KAZAA, SKYPE are bad! SSH is good!SSH is good!

exceptexcept SKYPE for collaboration is goodSKYPE for collaboration is good SSH used to tunnel bad protocols is badSSH used to tunnel bad protocols is bad

What are we trying to What are we trying to solve?solve?

If the issue is excessive bandwidth If the issue is excessive bandwidth consumption, we are trying to consumption, we are trying to reduce unnecessary bandwidth!reduce unnecessary bandwidth!

Traffic ShapingTraffic Shaping

flat rate shaping is commonflat rate shaping is common

to constrict to 2 GB/day: 20 kB/s to constrict to 2 GB/day: 20 kB/s yikes! Interactive web sites and good yikes! Interactive web sites and good browsing are hinderedbrowsing are hindered

100 kB/s yields 2 DVD downloads per 100 kB/s yields 2 DVD downloads per day using bittorrent, but still feels day using bittorrent, but still feels slow (30 seconds) downloading a 3 slow (30 seconds) downloading a 3 MB powerpoint slide MB powerpoint slide

Analyze Typical Traffic Analyze Typical Traffic PatternsPatterns

consistent low traffic volume is fineconsistent low traffic volume is fine sustained high volume is badsustained high volume is bad bursts of high traffic is typical web bursts of high traffic is typical web

browsing, page editing, book reading, etc.browsing, page editing, book reading, etc.

Traffic Shaping SummaryTraffic Shaping Summary

fancy shaping algorithms like RED, fancy shaping algorithms like RED, WFQ, etc. are very coarse tools for WFQ, etc. are very coarse tools for bandwidth managementbandwidth management

they only measure what they only measure what isis going going through the pipe, not what through the pipe, not what has has gone gone through the pipethrough the pipe

we want a feedback loop!we want a feedback loop!

Toilet Tank Traffic Toilet Tank Traffic ShaperShaper

emulate a toiletemulate a toilet resevoir of bandwidthresevoir of bandwidth high output flowhigh output flow small input flowsmall input flow

users can enjoy a burst of bandwidth, but users can enjoy a burst of bandwidth, but it slows to a trickle if you hold the leverit slows to a trickle if you hold the lever

release the lever and the reservoir refills, release the lever and the reservoir refills, ready for the next downloadready for the next download

TTTS SettingsTTTS Settings

tank sizetank size maximum output ratemaximum output rate maximum input ratemaximum input rate minimum time to empty minimum time to empty

causes output rate to decrease causes output rate to decrease exponentiallyexponentially

full percentfull percent level at which full output rate is availablelevel at which full output rate is available

How It Works InternallyHow It Works Internally

uses FreeBSD’s flat rate traffic shapinguses FreeBSD’s flat rate traffic shaping cron job every minute cron job every minute

looks at past trafficlooks at past traffic ‘‘pipes’ are resized according to formulapipes’ are resized according to formula

high volume users see gradual slowinghigh volume users see gradual slowing when they stop, the speed increaseswhen they stop, the speed increases ““doctor it hurts when I do this” … “well doctor it hurts when I do this” … “well

stop doing that!”stop doing that!”

TTTS Settings at UWTTTS Settings at UW tank size: 200 MBtank size: 200 MB max bandwidth: unlimitedmax bandwidth: unlimited min bandwidth: 40 kB/smin bandwidth: 40 kB/s min empty time: 5 minutesmin empty time: 5 minutes full percent: 80%full percent: 80% separate upload/download queuesseparate upload/download queues

negligable effect on 95% of usersnegligable effect on 95% of users as if there were no rate limiting at all!as if there were no rate limiting at all!

heavy bandwidth users not possibleheavy bandwidth users not possible

Part 2Part 2

Client Admission Client Admission ControlControl

MinUWetMinUWet

GoalGoal

We want a strategy which We want a strategy which encourages responsible client laptop encourages responsible client laptop management…management…

antivirus installed, antivirus installed, receiving windows updatesreceiving windows updates

How to Encourage How to Encourage SecuritySecurity

educateeducate rewardreward

remindremind nagnag embarrassembarrass punishpunish

or

How to Encourage How to Encourage SecuritySecurity

educate ?educate ? rewardreward

remindremind nagnag embarrassembarrass punishpunish

or

How to Encourage How to Encourage SecuritySecurity

educateeducate rewardreward

remindremind nagnag embarrassembarrass punishpunish

or

detect and zero in on problem OS’sdetect and zero in on problem OS’s for Windows for Windows

need Antivirus, Updatesneed Antivirus, Updates other OS’s must not be hinderredother OS’s must not be hinderred

GoalsGoals

MinUWetMinUWet NAA detects OS at login timeNAA detects OS at login time

vulnerable OS’svulnerable OS’s placed into restricted mode, just HTTP accessplaced into restricted mode, just HTTP access that’s enough to get latest updates, definitionsthat’s enough to get latest updates, definitions Must run/pass our client validation tool Must run/pass our client validation tool

(MinUWet) to get additional network (MinUWet) to get additional network protocols protocols

other OS’s are not affectedother OS’s are not affected

Not Entirely OriginalNot Entirely Original similar to Cisco’s Network Admission Control similar to Cisco’s Network Admission Control

and MS Network Access Protectionand MS Network Access Protection

Cisco and MS systems are stronger, but less Cisco and MS systems are stronger, but less flexible and require big investment or waiting flexible and require big investment or waiting for releasefor release

MinUWet doesn’t have to be perfect, just MinUWet doesn’t have to be perfect, just better than previous messbetter than previous mess

MinUWet can be retired upon better optionsMinUWet can be retired upon better options

Statistics from Two Week Statistics from Two Week TrialTrial

just Faculty of Engineeringjust Faculty of Engineering

6486 wireless Windows users6486 wireless Windows users

¼ of them failed MinUWet initially¼ of them failed MinUWet initially

½ of failures were then fixed by users and ½ of failures were then fixed by users and staffstaff

Zero observed security threats (snort)Zero observed security threats (snort)

Campus-wide Campus-wide DeploymentDeployment

day 1day 1 informed IT helpdesk staffinformed IT helpdesk staff

day 2day 2 message in daily bulletinmessage in daily bulletin brief message at every wireless loginbrief message at every wireless login users may choose to test their systemsusers may choose to test their systems

day 14day 14 system goes live campus-wide in system goes live campus-wide in enforce enforce modemode

ObservationsObservations

great for IT staff, no chasing peoplegreat for IT staff, no chasing people

users of poorly managed systems users of poorly managed systems informedinformed

fast, takes only secondsfast, takes only seconds

people don’t like running it every timepeople don’t like running it every time

MinUWet Memory AddedMinUWet Memory Added

laptops now validate only once per laptops now validate only once per weekweek

2/32/3rdrd’s of laptops are ’s of laptops are pre-approvedpre-approved

still frequent enough to catch still frequent enough to catch computers which fall computers which fall out-of-scopeout-of-scope of of AV or patchesAV or patches

What We LearnedWhat We Learned client validation works, every school will client validation works, every school will

get it eventuallyget it eventually

some users know they will fail, so they some users know they will fail, so they live with HTTP-only accesslive with HTTP-only access

IT support made more scalableIT support made more scalable

may be a good idea for grad student wired may be a good idea for grad student wired computers, residencescomputers, residences

Wireless Needs (Wireless Needs (RevisedRevised))

identity (auth/access/logging) identity (auth/access/logging) bandwidth managementbandwidth management admission controladmission control data encryption (VPN, 802.1X)data encryption (VPN, 802.1X) roaming – variety of optionsroaming – variety of options

Thank YouThank You