Upload
reynold-hensley
View
221
Download
0
Tags:
Embed Size (px)
Citation preview
Supporting A Supporting A Laptop Laptop
EnvironmentEnvironment Erick Engelke
Faculty of Engineering
University of Waterloo
[email protected]://www.eng/~erick/presentations/wirelessCanHEIT.htm
Initial RequirementsInitial Requirements
check client identity check client identity userid/password to authenticate, authorize userid/password to authenticate, authorize
and log usageand log usage password verification (Active Directory)password verification (Active Directory) many similar solutions available (now)many similar solutions available (now)
uncertain of other needs at that timeuncertain of other needs at that time
Network Authentication Network Authentication ApplianceAppliance
homegrown box (FreeBSD) to:homegrown box (FreeBSD) to: authenticate against either of 2 Active authenticate against either of 2 Active
DirectoriesDirectories authorize accessauthorize access log usagelog usage act as router/firewallact as router/firewall
ObservationsObservations
laptops outsell desktopslaptops outsell desktops
expect continued growth of laptop usageexpect continued growth of laptop usage
new learning opportunities with laptops, new learning opportunities with laptops, but also new challenges for staffbut also new challenges for staff
chasing security and bandwidth issues is chasing security and bandwidth issues is time-consuming for stafftime-consuming for staff
Part 1Part 1
Bandwidth Bandwidth ManagementManagement
(thanks to Bruce Campbell)(thanks to Bruce Campbell)
Bandwidth ProblemBandwidth Problem
laptops consistently became highest laptops consistently became highest bandwidth consumersbandwidth consumers
chasing people for bandwidth usage is chasing people for bandwidth usage is time consumingtime consuming
is it possible to classify bandwidth as is it possible to classify bandwidth as good/academic versus evil or good/academic versus evil or recreational?recreational?
Good Versus BadGood Versus Bad
are their good and bad protocols?are their good and bad protocols? KAZAA, SKYPE are bad!KAZAA, SKYPE are bad! SSH is good!SSH is good!
exceptexcept SKYPE for collaboration is goodSKYPE for collaboration is good SSH used to tunnel bad protocols is badSSH used to tunnel bad protocols is bad
What are we trying to What are we trying to solve?solve?
If the issue is excessive bandwidth If the issue is excessive bandwidth consumption, we are trying to consumption, we are trying to reduce unnecessary bandwidth!reduce unnecessary bandwidth!
Traffic ShapingTraffic Shaping
flat rate shaping is commonflat rate shaping is common
to constrict to 2 GB/day: 20 kB/s to constrict to 2 GB/day: 20 kB/s yikes! Interactive web sites and good yikes! Interactive web sites and good browsing are hinderedbrowsing are hindered
100 kB/s yields 2 DVD downloads per 100 kB/s yields 2 DVD downloads per day using bittorrent, but still feels day using bittorrent, but still feels slow (30 seconds) downloading a 3 slow (30 seconds) downloading a 3 MB powerpoint slide MB powerpoint slide
Analyze Typical Traffic Analyze Typical Traffic PatternsPatterns
consistent low traffic volume is fineconsistent low traffic volume is fine sustained high volume is badsustained high volume is bad bursts of high traffic is typical web bursts of high traffic is typical web
browsing, page editing, book reading, etc.browsing, page editing, book reading, etc.
Traffic Shaping SummaryTraffic Shaping Summary
fancy shaping algorithms like RED, fancy shaping algorithms like RED, WFQ, etc. are very coarse tools for WFQ, etc. are very coarse tools for bandwidth managementbandwidth management
they only measure what they only measure what isis going going through the pipe, not what through the pipe, not what has has gone gone through the pipethrough the pipe
we want a feedback loop!we want a feedback loop!
Toilet Tank Traffic Toilet Tank Traffic ShaperShaper
emulate a toiletemulate a toilet resevoir of bandwidthresevoir of bandwidth high output flowhigh output flow small input flowsmall input flow
users can enjoy a burst of bandwidth, but users can enjoy a burst of bandwidth, but it slows to a trickle if you hold the leverit slows to a trickle if you hold the lever
release the lever and the reservoir refills, release the lever and the reservoir refills, ready for the next downloadready for the next download
TTTS SettingsTTTS Settings
tank sizetank size maximum output ratemaximum output rate maximum input ratemaximum input rate minimum time to empty minimum time to empty
causes output rate to decrease causes output rate to decrease exponentiallyexponentially
full percentfull percent level at which full output rate is availablelevel at which full output rate is available
How It Works InternallyHow It Works Internally
uses FreeBSD’s flat rate traffic shapinguses FreeBSD’s flat rate traffic shaping cron job every minute cron job every minute
looks at past trafficlooks at past traffic ‘‘pipes’ are resized according to formulapipes’ are resized according to formula
high volume users see gradual slowinghigh volume users see gradual slowing when they stop, the speed increaseswhen they stop, the speed increases ““doctor it hurts when I do this” … “well doctor it hurts when I do this” … “well
stop doing that!”stop doing that!”
TTTS Settings at UWTTTS Settings at UW tank size: 200 MBtank size: 200 MB max bandwidth: unlimitedmax bandwidth: unlimited min bandwidth: 40 kB/smin bandwidth: 40 kB/s min empty time: 5 minutesmin empty time: 5 minutes full percent: 80%full percent: 80% separate upload/download queuesseparate upload/download queues
negligable effect on 95% of usersnegligable effect on 95% of users as if there were no rate limiting at all!as if there were no rate limiting at all!
heavy bandwidth users not possibleheavy bandwidth users not possible
GoalGoal
We want a strategy which We want a strategy which encourages responsible client laptop encourages responsible client laptop management…management…
antivirus installed, antivirus installed, receiving windows updatesreceiving windows updates
How to Encourage How to Encourage SecuritySecurity
educateeducate rewardreward
remindremind nagnag embarrassembarrass punishpunish
or
How to Encourage How to Encourage SecuritySecurity
educate ?educate ? rewardreward
remindremind nagnag embarrassembarrass punishpunish
or
How to Encourage How to Encourage SecuritySecurity
educateeducate rewardreward
remindremind nagnag embarrassembarrass punishpunish
or
detect and zero in on problem OS’sdetect and zero in on problem OS’s for Windows for Windows
need Antivirus, Updatesneed Antivirus, Updates other OS’s must not be hinderredother OS’s must not be hinderred
GoalsGoals
MinUWetMinUWet NAA detects OS at login timeNAA detects OS at login time
vulnerable OS’svulnerable OS’s placed into restricted mode, just HTTP accessplaced into restricted mode, just HTTP access that’s enough to get latest updates, definitionsthat’s enough to get latest updates, definitions Must run/pass our client validation tool Must run/pass our client validation tool
(MinUWet) to get additional network (MinUWet) to get additional network protocols protocols
other OS’s are not affectedother OS’s are not affected
Not Entirely OriginalNot Entirely Original similar to Cisco’s Network Admission Control similar to Cisco’s Network Admission Control
and MS Network Access Protectionand MS Network Access Protection
Cisco and MS systems are stronger, but less Cisco and MS systems are stronger, but less flexible and require big investment or waiting flexible and require big investment or waiting for releasefor release
MinUWet doesn’t have to be perfect, just MinUWet doesn’t have to be perfect, just better than previous messbetter than previous mess
MinUWet can be retired upon better optionsMinUWet can be retired upon better options
Statistics from Two Week Statistics from Two Week TrialTrial
just Faculty of Engineeringjust Faculty of Engineering
6486 wireless Windows users6486 wireless Windows users
¼ of them failed MinUWet initially¼ of them failed MinUWet initially
½ of failures were then fixed by users and ½ of failures were then fixed by users and staffstaff
Zero observed security threats (snort)Zero observed security threats (snort)
Campus-wide Campus-wide DeploymentDeployment
day 1day 1 informed IT helpdesk staffinformed IT helpdesk staff
day 2day 2 message in daily bulletinmessage in daily bulletin brief message at every wireless loginbrief message at every wireless login users may choose to test their systemsusers may choose to test their systems
day 14day 14 system goes live campus-wide in system goes live campus-wide in enforce enforce modemode
ObservationsObservations
great for IT staff, no chasing peoplegreat for IT staff, no chasing people
users of poorly managed systems users of poorly managed systems informedinformed
fast, takes only secondsfast, takes only seconds
people don’t like running it every timepeople don’t like running it every time
MinUWet Memory AddedMinUWet Memory Added
laptops now validate only once per laptops now validate only once per weekweek
2/32/3rdrd’s of laptops are ’s of laptops are pre-approvedpre-approved
still frequent enough to catch still frequent enough to catch computers which fall computers which fall out-of-scopeout-of-scope of of AV or patchesAV or patches
What We LearnedWhat We Learned client validation works, every school will client validation works, every school will
get it eventuallyget it eventually
some users know they will fail, so they some users know they will fail, so they live with HTTP-only accesslive with HTTP-only access
IT support made more scalableIT support made more scalable
may be a good idea for grad student wired may be a good idea for grad student wired computers, residencescomputers, residences
Wireless Needs (Wireless Needs (RevisedRevised))
identity (auth/access/logging) identity (auth/access/logging) bandwidth managementbandwidth management admission controladmission control data encryption (VPN, 802.1X)data encryption (VPN, 802.1X) roaming – variety of optionsroaming – variety of options