Welcome to Volume 2, Issue 1 of The Internet Security Conference Newsletter, Insights. Insights provides commentaries and educational columns, authored by some of the best minds in the security community.
The editorial calendar at this time includes columns and contributions from:
TISC is about sharing clue, and so is the newsletter. I promise you we will do our best to provide something *useful* each issue. If we don't, complain directly to me. I'd also like to hear and share your comments on the columns we push, and on topics you'd like to read about or see at TISC.
n this issue, my partner Lisa Phifer looks under the hood of two Internet roaming services, iPass and GRIC. These services have several intriguing propositions for individuals and enterprises, and ISPs. You or your company can realize the cost benefits of VPNs--a reasonable usage fee instead of onerous long distance or toll-free dial--with a truly global reach, but without worrying whether your ISP supports local dial where you roam. You or your company negotiates a single service agreement (audible sigh of relief), and iPass and GRIC manage settlements. Read on for the details.
After the VPN@TISC workshop that Fred Avolio and I presented in Boston, many attendees asked about the iPass Internet roaming service used during our layer 2 VPN demo. Today's column is for those of you who asked -- and for all road warriors who travel far and wide.
Global Internet roaming services like iPass (http://www.ipass.com) and GRIC (http://www.gric.com) allow travelers to dial a local access provider's POP from virtually anywhere in the world and be authenticated with the same credentials used at home. The incentive to use either service is, of course, financial: trade costly international toll charges for more modest POP access surcharges with no or low monthly fees. Roaming services help travelers locate a local access number, provide roaming user authentication, compensate access providers for usage, and pass along roaming fees to the user's ISP or company. Let's take a closer look at the technologies used to secure this "Internet access clearinghouse" approach.
When a roaming user dials into an iPass or GRIC alliance POP, there are four entities involved in authentication and authorization: the user's laptop, the local ISP's authentication server, a clearinghouse server, and the home ISP or company's authentication server.
Dial-up networking software initiates the call (i.e., PPP session) with two inputs: the user's network access id and a telephone number. Both GRIC and iPass provide two desktop software alternatives: an extended version of Microsoft Connection Manager, or a stand-alone dialer application. These provide "phone books" that locate telephone numbers closest to the traveler's country and city. The network access id for roaming access from anywhere is the login used for ISP access at home, followed by @ and the home ISP or company's fully-qualified domain name (e.g., firstname.lastname@example.org).
When the local ISP receives an incoming authentication request (usually CHAP), it is handled in the normal fashion by consulting a local authentication server. However, if the user is a roamer, the local authentication server (e.g., a GRIC AAS or iPass NetServer) must relay the request to the nearest clearinghouse server (e.g., a GRIC ARS or iPass Transaction Center). SSL connections and RSA certificates are used between these servers for authentication, encryption, and data integrity.
Each alliance operates several regional/redundant clearinghouse servers for worldwide availability. At the clearinghouse server, approaches diverge. The GRIC ARS provides routing information: it returns the identity of the home AAS and a shared secret; the local AAS then queries the home AAS, using this shared secret. The iPass TransactionCenter relays the request: it queries the home RoamServer and returns its response to the local NetServer. A GRIC ARS can use cached info to bypass the ARS on subsequent requests, while iPass avoids any direct communication between the local and home servers. As before, SSL connections are used between servers (AAS to AAS, TransactionCenter to RoamServer).
The home authentication server is ultimately responsible for permitting or denying roaming user access, based on the relayed network access id. The GRIC and iPass servers can be integrated with authentication systems using RADIUS, TACACS, and Windows NT domains. The iPass RoamServer also supports token-based authentication systems like Security Dynamics ACE Server. Accounting records are used to facilitate charge-back, coordinated by the clearinghouse provider. While many home servers are operated by alliance ISPs, companies with large roaming user populations may prefer to operate their own in-house iPass RoamServers.
The IETF Roaming Operations (roamops) working group was formed to tackle the interoperability, accounting, and security challenges inherent in providing roaming Internet access among ISPs. Thus far, this group has published an overview of roaming implementations (RFC 2194), agreed upon criteria for roaming protocol development (RFC 2477), defined how roaming users are identified (RFC 2486), and explored the security threats associated with proxy chaining (RFC 2607). Work is currently underway to define interchange formats for accounting and phone books. Perhaps of greater interest to the TISC audience, work is underway to extend roaming authentication and authorization. EAP-TLS, DIAMETER, and certificates may be used to provide for stronger user authentication. Protocols are being analyzed to identify threats and countermeasures to both hop-by-hop and end-to-end integrity and confidentiality. Measures are being taken to detect and prevent roaming Internet access fraud, and to ensure compatibility between roaming approaches and tunneling protocols like L2TP and IPSEC.
To learn more about roaming Internet access and associated security solutions and challenges, readers may want to visit the following sites:
IETF Roaming Operations (roamops) WG
iPass Home Page
GRIC Home Page