Thomschutz Thesis.Pdf (5.332Mb)
Total Page:16
File Type:pdf, Size:1020Kb
Security in Packet-Switched Land Mobile Radio Backbone Networks by Hans Olaf Rutger Thomschutz Thesis submitted to the faculty of the Virginia Polytechnic Institute and State University in partial fulfillment of the requirements for the degree of Master of Science in Electrical Engineering Dr. Scott F. Midkiff, Chair Dr. Luiz A. DaSilva Dr. A. Lynn Abbott May 25, 2005 Blacksburg, Virginia Keywords: Land Mobile Radio, Security, Encryption, Voice over IP Copyright 2005, Hans Olaf Rutger Thomschutz Security in Packet-Switched Land Mobile Radio Backbone Networks by Hans Olaf Rutger Thomschutz Dr. Scott F. Midkiff, Chair (ABSTRACT) Spurred by change in government regulations and to leverage lower-cost technology and services, many land mobile radio (LMR) operators have begun transitioning from circuit- switched to packet-switched backbone networks to handle their future communication needs. Due to the unique demands of packet-switched backbone networks for LMR, it may not be wise to carry over the previously implemented security methods used with circuit-switch systems or to treat an LMR backbone as a regular packet-switched network. This thesis investigates security in packet-switched LMR backbone networks to identify security issues in packet-switched LMR networks and provide possible solutions for them. Security solutions that are examined include different types of virtual private networks (VPNs), various encryption and keying procedures for safe communication, and logic behind how and where to implement security functions within the network. Specific schemes examined include IP Security (IPSec), OpenVPN, Virtual Tunnel (VTun), and Zebedee. I also present a quantitative analysis of the effects that the solutions have on packet-switched networks, in terms of link utilization, and on voice traffic, in terms of delay and delay jitter. In addition, I evaluate, in general terms, the additional cost or complexity that is introduced by the different security solutions. Simulation with OPNET Modeler was used to evaluate how the various security schemes affect voice communication and network performance as a whole. Since OPNET Modeler does not provide models of security functions, the source code of the transceiver system models was modified to introduce additional overhead that is representative of the various security solutions. Through experimentation, simulation, and analysis of the security schemes considered, it was found that the most effective security scheme overall for a packet-switched LMR backbone network would either be IPSec or OpenVPN implemented at the base stations and end-hosts. Both security schemes provide strong encryption, flexibility, and are actively supported. However, if bandwidth is scarce and flexibility is less important, then a security solution with less overhead, such as VTun, should be considered. Thus, one has to balance performance with security to choose the most effective security solution for a particular application. Acknowledgments I would like to greatly thank my advisor, Dr. Scott F. Midkiff, for his continued guidance and support through the development of this thesis. His positive influence had a significant impact on my educational experience, which I will carry with me wherever I go and accomplish. I would also like to thank my other committee members, Dr. Luiz A. DaSilva and Dr. A. Lynn Abbott for their valuable feedback and for serving on my committee. Further thanks to Dr. Jahng S. Park for providing his expertise with OPNET Modeler; George Hadjichristofi for his time, expertise, and assistance with IP Security; Mr. Randy Marchany for his enthusiastic advice on security and inspiration to pursue the area. My experience would not have been as fulfilling without the persons in the Networking Lab who made every day an adventure. Their daily companionship will be missed. I would like to thank my family, Hans, Liv, and Jesper for their love, support, and encouragement. Great appreciation goes to Dana Garnand, whose advice and encouragement helped make this thesis successful. The opportunity to work on a project sponsored by the U.S. Customs Service provided financial support and the insight and motivation to pursue this topic. iii Contents 1 Introduction 1 1.1 Overview.........................................................................................................................1 1.2 Problem Statement..........................................................................................................3 1.3 Organization of Thesis....................................................................................................4 2 Background 6 2.1 Circuit-Switched LMR Networks...................................................................................7 2.1.1 System Infrastructure and technology.....................................................................7 2.1.2 Currently Available Systems and Products.............................................................9 2.2 Packet-Switched LMR Networks..................................................................................10 2.2.1 System Infrastructure and Technology .................................................................11 2.2.2 Currently Available Systems and Products...........................................................15 2.2.3 Security of Packet-Switched Systems and Products .............................................21 2.3 Comparison of Circuit-Switched versus Packet-Switched Networks...........................22 2.4 Existing Security Approaches.......................................................................................24 2.4.1 Communications Security.....................................................................................24 2.4.2 Packet Security......................................................................................................25 2.5 Summary .......................................................................................................................31 3 Research Objectives 34 3.1 Problem Statement and Motivation...............................................................................34 3.2 System Architecture......................................................................................................36 iv 3.3 System Boundaries........................................................................................................37 3.4 Selection of the Evaluation Technique .........................................................................37 3.5 Fixed Parameters and Workload ...................................................................................38 3.6 Factors and their Levels ................................................................................................39 3.7 Performance Metrics.....................................................................................................39 3.8 Summary .......................................................................................................................41 4 Security Issues in LMR Backbone Neworks 42 4.1 Background ...................................................................................................................42 4.1.1 Confidentiality ......................................................................................................43 4.1.2 Authentication.......................................................................................................45 4.1.3 Message Integrity..................................................................................................46 4.1.4 Access Control......................................................................................................46 4.2 Security in Legacy LMR Networks ..............................................................................46 4.3 Security in Data Networks ............................................................................................47 4.4 General Security Issues.................................................................................................49 4.5 Security Designs...........................................................................................................50 4.6 Summary .......................................................................................................................55 5 Simulation Models and Methodology 56 5.1 Simulation Model..........................................................................................................56 5.1.1 Links, Routers, and Base Stations/Transceivers ...................................................57 5.1.2 Application, Profile, and QoS Configuration........................................................60 5.1.3 Network Traffic.....................................................................................................63 5.2 Validation......................................................................................................................66 5.3 Experimental Design.....................................................................................................69 5.3.1 Length of Simulations...........................................................................................69 5.3.2 Estimating the Number of Replications ................................................................70 5.3.3 Special Considerations for Random Numbers ......................................................72 5.4 Evaluation and Analysis................................................................................................72