MOBILE VPN Integration of WLAN and 3G

1
MOBILE VPN Integration of WLAN and 3G

• Frederic Paint
• Telenor FoU
• Frederic.paint_at_telenor.com

2
Outline

• TODAY A QUIET COMPLEX PICTURE
• WHAT DO WE WANT IN THE FUTURE
• MAIN CONCEPT AND CHALLENGES
• SUMMING UP

3
My journey to Atlanta

• Gardermoen
• Wireless ISP offer from xyz. Used credit card,
  got confrmation that it worked, but didnt
  actually work. Tried again, still didnt work.
  Had to call a foreign number, they didnt even
  know about WLAN.
• Tried another provider. Did work, but VPN didnt
  work
• Atlanta
• Bought a scracth card. Registered on WLAN, got a
  password for subsequent logons. Lap-top for some
  reason doesnt see the Smart card reader. I
  reboot.
• After reboot, need to use WLAN password, Pin code
  for VPN.
• Finally I could download my emails
• Will have a tough time registering my travel
  expenses

4
Today The situation
User name/password Certificates Password
generator
Remote accessVPN
User name password
Corporate Network
Very Complex for CORPORATIONS
Access Server
Network VPN
ISDN
Internet
Network VPN
Very Complex for OPERATORS
GSMGPRS/UMTS
WLAN
User name/password
Very Complex for USERS
SIM CARD
5
COSTS AND USAGE

• High COSTS for all
• No standard or defacto solutions
• Segmented market
• High operational costs
• Training, maintenance, customer care
• USAGE is Cumbersome
• Limits usability of nomadic computing
• Always something that goes wrong
• Bad for WLAN, 3G and Corporations

6
WHAT DO WE WANT ?

• IT SHOULD BE SIMPLE

• IT SHOULD BE SIMPLE

• IT SHOULD BE SIMPLE

7
KEEP IT SIMPLE FOR THE USER

• One Connection Interface for the user
• Smart Client that chooses the best connection at
  any given time according to specified policies
  defined by corporation
• The User should be able to move freely without
  having to interact with any of the devices
• Simple Authentication
• Why the same person should have multiple
  credentials, and multiple authentication
  processes towards the same system ?
• User names, passwords, scratch cards are not user
  friendly authentication mechanisms
• No credit card
• Involves the person as person and not as an
  employee
• Billing issues
• It should work always. Availability should be
  99.999

8
KEEP IT SIMPLE AND SECURED FOR THE ENTERPRISE

• One solution independant of the access technology
• Simplifies Corporate Networks operations and
  maintenance
• Minimises Complexity and reduces investments
• The Mobility of the user should be transparent
  for the Corporate Network
• Otherwise we cannot call ourselves a mobile
  operator

9
KEEP IT SIMPLE FOR THE MOBILE OPERATOR

• One standard Mobile VPN mechanism
• minimises operational costs e.g. Training
• Available in devices, less need for specific
  clients.
• One Authentication method for all networks
• minimises operational cost e.g. Training.
• Simpler Management
• Simpler Provisioning

10
AN INNOVATIVE MODEL
Corporate Network
Value Added Services
Mobile Authentication Center
Mobile VPN Network
GSM/UMTS
GPRS/UMTS
WLAN
SIM CARD
Devices
11
Opportunities

• Better solution
• Can disable confidentiality in the VPN in case of
• WPA (Wifi Protected access)
• GPRS/UMTS (since Cellular link is encrypted)
• Can disable tunneling in case of GPRS/UMTS
• Minimum overhead over cellular
• QoS for VPNs
• Aggregation
• Operator can serve many corporate networks
• Same solution for all types of devices, works
  everywhere the same way.
• One Bill

12
MAIN CONCEPTS and CHALLENGES

• Single Authentication Mechanism
• Mobile VPN
• Connection Manager

13
MAIN CONCEPTS and CHALLENGESSingle
Authentication Mechanism

• SIM Authentication
• SIM card is used for getting access to 2G/3G
  networks
• A well known and certified mechanism that has
  been used the past 15 years in GSM world
• SIM for WLAN
• 3GPP standard, IETF draft, GSMA. Both prepaid and
  postpaid supported
• Roaming tests ungoing in WLAN task force of GSMA
• Early deployments already exists in several
  countries China Mobile ,Orange Switzerland,
  Sonera.
• GSM family has a tradition for roaming. Public
  hot-spots mostly deployed by MNOs (Orange ha 3001
  hot-spots in France)
• SIM cards in Lap-tops
• SIM socket to the GSM handset, USB SIM readers,
  WLAN with inbuildt SIM reader
• SIM for VPNs
• IKEv2 supports SIM based authentication but still
  under work
• Could use SIM based certificates for IKE and
  IKEv2

14
MAIN CONCEPTS and CHALLENGESMOBILE VPN
Solutions

• We need one standard solution which is
• Available in most devices
• That every WLAN, LAN, CDMA, 3G operator knows
  about so that the VPN goes through the firewall.
• Supports Mobility
• 3GPP standard
• Under definition, based on IKEv2
• VPN gateway compatible with curent GPRS
  deployment . VPN gateway can be integrated with
  current GPRS nodes.
• Planned to work for small devices, e.g. PDA,
  handsets.

15
CONNECTION MANAGER

• Client on the device that supports the Mobile VPN
  solution
• Has a comprehensive audiovisual interface to the
  user
• Can be taylored to corporate needs and policies
• Needs to be supported by many Operative systems
  including Symbian

16
SUMMING UP

• Why do we need better solutions
• What the Mobile VPN concept is
• What are the challenges

Questions