Saturday, February 16, 2008

Mobiles - Secure Remote Access & firewalls in middle

It is well known that IPsec with IKEv2 is typically used to tunnel remote user traffic to Enterprise networks with IPsec client running in laptops and IPsec Gateway installed in Enterprises.

Mobiles are being equipped with IPsec client to access company network resources remotely. Wifi enabled mobiles can be used to access company resources from homes, using visitor networks of other companies, from airports, from coffee shopts etc..

IPsec uses UDP 500, UDP 4500 for key exchange. Data packets are sent using UDP 4500 or IP protocols ESP, AH, IPCOMP. These ports and protocols must be opened in firewalls that are between mobiles and Enterprise IPsec gateways. Without these ports open, traditional IPsec communication does not work.

It appears that some administrators are willing to open UDP 500 and 4500 ports permanantely, but unwilling to open ESP, AH and IPCOMP protocols. Due to this, I have a feeling that eventually all IPsec communication from mobiles would happen on UDP 4500, even if there is no NAT device in between.

In some cases, administrators are unwilling to open any outbound UDP port other than DNS port. If mobiles are behind these firewalls, using SSL (TCP 443) would be a good choice. Since SSL is dependent on TCP, this type of communication is not ideal for real time traffic such as voice and video.

IMO, Mobiles in future will have both IPsec and SSL VPN tunnel support. I propose Firewall traversal discovery mechanism that can be used to select either IPsec or SSL VPN tunnel. Firewall discovery involves both client and server - Client residing in mobiles and Server residing in Enteprise gateway. Client sends UDP 500 or UDP 4500 'echo request' message to find out reachability with Enteprise gateway. Server is expected to send 'echo reply' message on the UDP session upon receiving 'echo' message. If client receives 'echo response' message, it can use Ipsec tunnels. Otherwise, Mobiles need to fallback to SSL VPN tunnel. Firewall discovery echo messages must use its own 'payload' types to avoid conflicts with existing payload types in IKEv2.


    • Secure Remote Access from Mobiles to Enterprise networks will happen on either IPsec tunnel or SSL tunnel.
    • Firewall traversal discovery mechanism would be used to select IPsec tunnel or SSL tunnel.
    • IPsec tunnel is preferred over SSL tunnel.
    • IPsec tunnels would use UDP encapsulation even if NAT devices are not detected.

    1 comment:

    Benzin said...

    Remote access apart, vendors such as RHUB are coming up with innovative technology that enables Web Conferencing through mobiles. It’s just enough if you are equipped with a phone with 3G capabilities.