Seamless Yet Secure -Hotspot Roaming CDG Wi-Fi Summit 2003 Steve Reyes Product Management and Development 4501 Intelco Loop SE Olympia, WA 98507 913-814-6262 Sreyes@verisign.com 1
Vision: Mobile and Portable Computing Enterprise Public WLAN Service Provider AAA Servers xdsl/cable Broadband user Cable/DSL T1/T3 Internet T1/T3 Cable/DSL Public WLAN HotSpot Legacy and Web Enterpris e Applicati ons Billing/ Customer Care Servers T1 Small Manufacturing Site or Branch Office 2
Market Forecasts All Over the Map #Hot Spots 100,000 $ Billions IDC June 2002 Forecast Analysys Research Pyramid 80,000 60,000 40,000 20,000 30 25 20 15 10 5 0 0 2002 2003 2004 2005 2006 3 Analysys U.S. Hotspots 9.5 Actual/Forecast as announced Goldman Sachs Global PwLAN Service Revenues Alexander Resources 2007 2006 30 TeleAnalytics $ Billions Consensus View Gold man Sach s Global Wi-Fi Equipment Sales Low $4.0 $3.5 $3.0 $2.5 $2.0 $1.5 $1.0 $0.5 $0.0 30% IDC Home Synergy Home IDC Enterprise Synergy Enterprise IDC Public Access 5% % Broadband Connections 10 % 2002 2003 2004 2005 2006 U.S. Wi-Fi Penetration High 50 % 3
Key Market Inhibitors There are two major barriers holding back significantly higher levels of Wi-Fi adoption. 1 Security Concerns Enterprises have been slow to build out WLAN due to concerns over network security (e.g., unauthorized access) Fewer enterprise deployments. Lower carryover of users into hotspots and homes. 4 2 Lack of standard roaming infrastructure The lack of a broadly accessible roaming standards fosters closed networks and significantly reduces the value proposition to end users, hotspot operators and network service providers. Economies of scale not realized End-user inconvenience lowers demand
Evolution Realizable Market Opportunity Today Phase I Phase II (2003) Phase III (2005) Time Closed and non- secure Closed but secure Open and secure 5
Requirements of Major Constituents! ROI Enterprise Customers! Unwilling to deploy until WLAN security properly addressed! Require complete solution bundle for WLAN network design, portability and mobility WLAN Service Providers! Broadband ISPs looking for new revenue streams! 3G Networks need to seed wireless data services usage Unleash the Opportunity WLAN Infrastructure Vendors Consumers/ SMB Customers! Want to deploy low TCO LAN! Want public WLAN roaming capabilities! Need to solve WLAN security issues in order to grow market 6
The Security Conundrum! SSID association NOT a security mechanism Sniffing possible (desirable) OR limited interoperability! MAC address control lists not maintainable! Authorization all or nothing problem! WEP (privacy control) Vulnerable Key management headache! VPN Requires client software Install/configuration effort Expensive 7
The Security Conundrum! Vendor security frameworks Proprietary May impact interoperability May limit choice of vendors! Cisco s LEAP Mutual authentication of clients and AP s Per session WEP key for encryption! Agere s Advanced Mobile Security Architecture (AMSA) RC4 per session encryption with Diffie Helman key exchange Supports EAP-TLS with WEP encryption and key refresh! Symbol Based on Kerberos Mutual authentication, end-to-end encryption Per session dynamic key distribution 8
Web-Based Security! Browser-based authentication via username/password through encrypted browser window! Typically employs Access Controller located between the wireless AP and internal LAN or Internet! Best suited for guest services! Vulnerable to session hijacking Reasonable general access control Not solid assurance of privacy 9
IPSec/VPN! Place WLAN outside firewall! Provide WLAN users VPN client! Forces users through VPN concentrator 10
Wired Equivalent Protocol! Standard configurable feature of most leading AP s! Objective to ensure privacy by encrypting each 802.11 packet via RC4 cipher stream! Relies on pre-shared static keys (typically manually configured)! Weaknesses: No key management specified Keys too small (40 bits) and easily broken Initialization Vector (IV) is too small and easily broken (sent in the clear) RC4 algorithm is weak! WEP is bad, but better than nothing if keys are changed frequently 11
802.1X Security! 802.1X Standard Framework for providing compatible authentication & authorization mechanisms for devices interconnected by 802.11 LANs! 802.1X Security Entities Identifies 3 entities: " Client (Supplicant) " Access Point (Authenticator) " Authentication Server (AS) AP-to-AS communication using EAPOL 12
Secure WLAN Roaming Internet Enterprise Public WLAN Hotspot Home network AS AS AS AS Authentication Clearinghouse Public WLAN Carrier/ISP routes all Authentication requests to Authentication Clearinghouse. 13 Clearinghouse opens outer EAP-TTLS tunnel and pass-on Username/Password to Enterprise s RADIUS Server; manages Accounting & Billing
CA Hierarchy Wi-Fi Root CA WISPr CA Wi-Fi CA W-ISP #1 W-ISP #2 W-ISP #n Device Vendor #1 Device Vendor #2 Device Vendor #N User#1-456 AP #1-678 PAC #1-765 User #n-123 User #n-456 AP Serial# 2xyz... AP Serial# 2abc... User#2-456 AP #2-123 AAA #2-897 NIC/STA Serial# 1pqr... NIC/STA Serial# 1stv... AAA Serial# 5cde... AAA Serial# 5fgh... 14
Industry Trust Model! PKI model ensures highest level of trust! Digital certificates based! Utilizes 802.1x/EAP-TLS! Trusted Certificate Authority network! Portable across home, enterprise and public venues 15
Wireless Carrier Paradigm 3G Access Networks Users profile HLR Cellular Network Apps. Revenue Hot spots Mediation Services Services Billing WLANs 16
Targeted Architecture Residential ISP Wireless carrier (Service Provider) AAA Servers Clearinghouse (optional) AAA Servers GW Public WLAN Hotspot / WISP operations AAA Servers Direct exchange xdsl/cable Broadband user Wireless user Cable/DSL Internet SS7 T1 Billing/ Customer Care Servers AAA Servers HLR Billing/ Customer Care Servers Mobile carriers Roaming user 17
18 Thank You!!