Mobile IP – Another way to do NAC/NCP and 802.1x?

I have been looking around recently to try find what vendors are offering Mobile IP clients/servers. It is very disappointing to see that there does not seem to be much support for the architecture in vendor land. Even Cisco use to have a Mobile IP client but it seems to have suffered the fate of End-Of-Life .

So what is Mobile IP? Mobile IP provides a mobile device (smartphone, pda, laptop, desktop) to take an IP address with them no matter which public network they connect to. This is done by the client maintaining a connection through a tunnel back to a “home server”.

But isn’t this what an IPSEC VPN client does? Yes, but the difference is because of how IPSEC works, it sets up sessions tied to your current local IP. So if you say switched WiFi hotspots, or change from WiFi to a 3G connection then your IP changes. This means your current IPSEC tunnel will drop. The benefit of Mobile IP is that it is designed to take this into account and so “transparently” reconnect you back to your home network.

Great, so why do we use IPSEC VPN instead of Mobile IP. The simple answer is because Mobile IP was built to handle mobility, and IPSEC was built to ensure a secure connection. However, there is nothing stopping you from running your IPSEC session from within the Mobile IP tunnel. If your IPSEC is tied to your Mobile IP which moves with you, then the fact you have changed WiFi hotspots or even network connection types wouldn’t been seen by IPSEC and you could essential have an always connected secure IPSEC connection to your home network.

Now here is the scary thought and I will dive into the theory of Enterprise deperimiterisation. Instead of sitting all your desktops behind a firewall and trying to protect against rogue access points and third party laptops (part of why you would deploy 802.1X and NAC/NCP). What if you deploy Internet segments for all your workstation users. If you can make sure all your workstations are installed with Mobile IP clients and VPN clients that connect at LAN speeds back to the Mobile IP/VPN servers, then you no longer have to worry about trying to protect a large segment of your network. Basically you would be saying, the workstation segments are part of the Internet and so I have invested in my workstation security to assume it’s a hostile environment, instead of spending time and money trying to keep my Enterprise workstation segments safe. While a full deployment like this is likely to be unrealistic, a partial or hybrid implementation may be appropriate. If you deploy a restricted Internet access point so you have some confidence of protection against threats like sniffers, then you can relieve the need for large VPN servers (which is mainly used to protect confidentiality) and just run the Mobile IP client when on the LAN with no VPN.

What is the benefit? If you think about your current remote access solution and instead can offer your business users a totally transparent solution that will mean that no matter what network connectivity they are using they will be automatically connected to the Enterprise network, which do you think they want. For example, a business users is sitting in the office, they undock and the Mobile IP client automatic looks for the next best configured network connection. It cant find an available WiFi hotspot so it dials-in using the 3G data card connection and establishes the VPN connection. The business user later sits down at a café with open WiFi and the Mobile IP automatically swaps the connections to take advantage of the better speed. Meanwhile the VPN has remained established and so all the business user sees is that when they are ready to work in the café their emails are up to date and they already has full enterprise network connectivity.

Yes there are some details that are missing in the scenario (I only wanted to convey the concept not the nitty gritty). I would rather have a fleet of laptops out there that are always automatically and transparently connected to the Enterprise, rather then worrying about laptops that require end users to boot up remote access solutions and authenticate when they want to connect to Enterprise resources. Because we all believe that end users will always follow a policy that require them to only connect to the VPN when offsite, and not to use the laptop for browsing all those fun sites directly.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: