Supporting A Laptop Environment

1
Supporting A Laptop Environment

Erick Engelke Faculty of Engineering University
of Waterloo erick_at_uwaterloo.ca http//www.eng/eri
ck/presentations/wirelessCanHEIT.htm
2
Initial Requirements

• check client identity
• userid/password to authenticate, authorize and
  log usage
• password verification (Active Directory)
• many similar solutions available (now)
• uncertain of other needs at that time

3
Network Authentication Appliance

• homegrown box (FreeBSD) to
• authenticate against either of 2 Active
  Directories
• authorize access
• log usage
• act as router/firewall

4
Observations

• laptops outsell desktops
• expect continued growth of laptop usage
• new learning opportunities with laptops, but also
  new challenges for staff
• chasing security and bandwidth issues is
  time-consuming for staff

5
Part 1Bandwidth Management

• (thanks to Bruce Campbell)

6
Bandwidth Problem

• laptops consistently became highest bandwidth
  consumers
• chasing people for bandwidth usage is time
  consuming
• is it possible to classify bandwidth as
  good/academic versus evil or recreational?

7
Good Versus Bad

• are their good and bad protocols?
• KAZAA, SKYPE are bad!
• SSH is good!
• except
• SKYPE for collaboration is good
• SSH used to tunnel bad protocols is bad

8
What are we trying to solve?

• If the issue is excessive bandwidth consumption,
  we are trying to reduce unnecessary bandwidth!

9
Traffic Shaping

• flat rate shaping is common
• to constrict to 2 GB/day 20 kB/s yikes!
  Interactive web sites and good browsing are
  hindered
• 100 kB/s yields 2 DVD downloads per day using
  bittorrent, but still feels slow (30 seconds)
  downloading a 3 MB powerpoint slide

10
Analyze Typical Traffic Patterns

• consistent low traffic volume is fine
• sustained high volume is bad
• bursts of high traffic is typical web browsing,
  page editing, book reading, etc.

11
Traffic Shaping Summary

• fancy shaping algorithms like RED, WFQ, etc. are
  very coarse tools for bandwidth management
• they only measure what is going through the pipe,
  not what has gone through the pipe
• we want a feedback loop!

12
Toilet Tank Traffic Shaper

• emulate a toilet
• resevoir of bandwidth
• high output flow
• small input flow
• users can enjoy a burst of bandwidth, but it
  slows to a trickle if you hold the lever
• release the lever and the reservoir refills,
  ready for the next download

13
TTTS Settings

• tank size
• maximum output rate
• maximum input rate
• minimum time to empty
• causes output rate to decrease exponentially
• full percent
• level at which full output rate is available

14
How It Works Internally

• uses FreeBSDs flat rate traffic shaping
• cron job every minute
• looks at past traffic
• pipes are resized according to formula
• high volume users see gradual slowing
• when they stop, the speed increases
• doctor it hurts when I do this well stop
  doing that!

15
TTTS Settings at UW

• tank size 200 MB
• max bandwidth unlimited
• min bandwidth 40 kB/s
• min empty time 5 minutes
• full percent 80
• separate upload/download queues
• negligable effect on 95 of users
• as if there were no rate limiting at all!
• heavy bandwidth users not possible

16
Part 2Client Admission Control

• MinUWet

17
Goal

• We want a strategy which encourages responsible
  client laptop management
• antivirus installed, receiving windows updates

18
How to Encourage Security

• educate
• reward

• remind
• nag
• embarrass
• punish

or
19
How to Encourage Security

• educate ?
• reward

• remind
• nag
• embarrass
• punish

or
20
How to Encourage Security

• educate
• reward

• remind
• nag
• embarrass
• punish

or
21
Goals

• detect and zero in on problem OSs
• for Windows
• need Antivirus, Updates
• other OSs must not be hinderred

22
MinUWet

• NAA detects OS at login time
• vulnerable OSs
• placed into restricted mode, just HTTP access
• thats enough to get latest updates, definitions
• Must run/pass our client validation tool
  (MinUWet) to get additional network protocols
• other OSs are not affected

23
Not Entirely Original

• similar to Ciscos Network Admission Control and
  MS Network Access Protection
• Cisco and MS systems are stronger, but less
  flexible and require big investment or waiting
  for release
• MinUWet doesnt have to be perfect, just better
  than previous mess
• MinUWet can be retired upon better options

24
Statistics from Two Week Trial

• just Faculty of Engineering
• 6486 wireless Windows users
• ¼ of them failed MinUWet initially
• ½ of failures were then fixed by users and staff
• Zero observed security threats (snort)

25
Campus-wide Deployment

• day 1
• informed IT helpdesk staff
• day 2
• message in daily bulletin
• brief message at every wireless login
• users may choose to test their systems
• day 14
• system goes live campus-wide in enforce mode

26
(No Transcript)
27
(No Transcript)
28
(No Transcript)
29
Observations

• great for IT staff, no chasing people
• users of poorly managed systems informed
• fast, takes only seconds
• people dont like running it every time

30
MinUWet Memory Added

• laptops now validate only once per week
• 2/3rds of laptops are pre-approved
• still frequent enough to catch computers which
  fall out-of-scope of AV or patches

31
What We Learned

• client validation works, every school will get it
  eventually
• some users know they will fail, so they live with
  HTTP-only access
• IT support made more scalable
• may be a good idea for grad student wired
  computers, residences

32
Wireless Needs (Revised)

• identity (auth/access/logging)
• bandwidth management
• admission control
• data encryption (VPN, 802.1X)
• roaming variety of options

33
Thank You