Security - Telenor
Security - Telenor
Security - Telenor
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
Henning Wright Hansen (28) is<br />
Research Scientist at <strong>Telenor</strong><br />
R&D, Kjeller, where he has been<br />
working on aspects related to<br />
Internet security since 1996. His<br />
research interests include wide<br />
aspects of security related to<br />
computing, focusing on the<br />
security consequences of introducing<br />
Internet mobility as well<br />
as solutions making the Internet<br />
a safer place to be for the mobile<br />
users of the future. He is also<br />
involved in the TigerTeam activities<br />
(practical security testing)<br />
at <strong>Telenor</strong> R&D.<br />
henning-wright.hansen<br />
@telenor.com<br />
Dole Tandberg (38) is Research<br />
Scientist in the <strong>Security</strong> Group at<br />
<strong>Telenor</strong> R&D, Kjeller, where he<br />
has been working since 1997.<br />
His research interests include<br />
security in Internet and mobile<br />
distributed systems. He is also<br />
involved in the TigerTeam activities<br />
and practical security<br />
exploits.<br />
Background: 1982–1988 University<br />
of Zagreb, Croatia; 1988–<br />
1996 ABB Corporate Research;<br />
4 patents holder (2 WW and 2<br />
UK); 1994 Sheffield University<br />
(UK), Largest civilian FEM-test<br />
research program; 1995 London<br />
Conference “New Era Technology”<br />
paper holder.<br />
dole-stojakovic.tandberg<br />
@telenor.com<br />
26<br />
<strong>Security</strong> in a Future Mobile Internet<br />
HENNING WRIGHT HANSEN AND DOLE TANDBERG<br />
Introduction<br />
Everyone knows it – computers are getting more<br />
and more common. Computers are also getting<br />
more and more portable. At the same time the<br />
Internet has become a common place. The professional<br />
computer users demand the possibility<br />
to work as usual independent of time and place.<br />
And why not? The technology that will make<br />
this happen is more or less here.<br />
However, the companies that own and control<br />
the computers used by these demanding users<br />
have second thoughts. What about security? The<br />
Internet is itself a “dangerous” place to be, and<br />
even highly skilled personnel make mistakes<br />
when implementing security solutions to protect<br />
the internal network from script kiddies or maybe<br />
even worse, from unscrupulous competitive<br />
companies or foreign governments. Who really<br />
knows what might be out there?<br />
And now the users want to open up the internal<br />
network to be accessed from the Internet. How<br />
could this be done in a satisfyingly secure manner?<br />
How should the mobility management be<br />
implemented to allow for transparent access –<br />
both to and from the machines on the road?<br />
This article will try to cover these issues and<br />
propose solutions that may become the future<br />
foundation for secure Internet mobility in the<br />
years to come, with a particular focus on the<br />
users and their terminals. Only selected security<br />
technologies will be covered, focusing on the<br />
mobile users and their terminals.<br />
A Mobile Wireless Network<br />
of the Future<br />
The Internet has traditionally offered very poor<br />
support for mobility. It is of course possible to<br />
move computers connected to the Internet from<br />
one local area network to another, but there has<br />
been no support for mobility. That is; when<br />
moving a computer from one LAN to another,<br />
you have to supply it with a brand new IP address.<br />
From the network point of view, this is<br />
seen as a totally different computer since the IP<br />
address is used to identify it. Even today, some<br />
legacy operating systems claimed to be “up to<br />
date” need to be rebooted in order to use a different<br />
IP address.<br />
Mobile IP is about to change this, however,<br />
allowing the computer to be moved to keep its<br />
old IP address used for identification, and at the<br />
same time obtain and use a new topologically<br />
correct IP address. This may be achieved by<br />
using e.g. tunneling mechanisms.<br />
Internet mobility may be achieved without altering<br />
the routers or other hosts on the Internet, the<br />
only thing really needed is a Home Agent placed<br />
on the home network. The Home Agent is<br />
responsible for registering the current locations<br />
(IP addresses) of mobile nodes, and forwarding<br />
packets destined for the mobile node out to its<br />
current location. Authentication is built-in in<br />
order to make it difficult to redirect traffic to<br />
unauthorised hosts, this will help prevent someone<br />
stealing traffic destined to the mobile nodes.<br />
When a mobile node connects back to the home<br />
network, an extension is made from the LAN to<br />
the Mobile Node. Traffic traditionally being<br />
internal and restricted to the LAN only, now<br />
ends up being routed over the Internet for everyone<br />
to see. Utilising VPN technology is therefore<br />
very important if privacy, authenticity and<br />
integrity of the data exchanged is of any concern.<br />
Traditionally VPN systems have been used<br />
for protecting traffic between different kinds of<br />
networks, but the same technology may be integrated<br />
directly on the mobile nodes in a network-to-host<br />
scenario. (Or host-to-host for that<br />
matter.) The technology used to achieve this is<br />
typically IPsec.<br />
At the home network, the extension of the home<br />
network towards the mobile nodes is typically<br />
combined with the use of firewalls. The firewall<br />
is supposed to enforce a security policy separating<br />
those “inside” from those “outside” the firewall.<br />
Wireless technology such as the IEEE 802.11<br />
may be used as one attractive method of accessing<br />
the Internet or LAN IP networks. The security<br />
mechanisms in these standards are however<br />
limited in flexibility, and VPN technology is<br />
therefore needed on top. WLAN technology is<br />
sometimes envisioned to replace traditional<br />
wired LAN networks, particularly in dynamic<br />
and new environments. Time and money may be<br />
saved as the need for cabling is reduced considerably.<br />
In future office environments, WLAN<br />
technology may be used as a shared access technology,<br />
e.g. within a large office building. It<br />
would be much more efficient to offer WLAN<br />
access to all employees in different firms within<br />
the building, instead of having each firm imple-<br />
Telektronikk 3.2000