This document describes the detailed setup and execution steps for our
demonstration environment, which we showed at the TCG Association
Seminar at RSA Conference 2014 in San Francisco.
The demonstration scenario integrates the strongSwan
VPN solution, developed by the University of Applied Sciences in Rapperswil (Switzerland),
with several iron* tools by the Trust@HsH research group
at the University of Applied Sciences and Arts in Hanover (Germany), and
the Android-IF-MAP-Client by DECOIT
GmbH, a SME company from Bremen (Germany).
For a short overview of the demonstration see our demonstation
description (html | pdf).
Hint: If you just want to play around with our iron* tools and IF-MAP we recommend
to use our demonstration and simulation environment irondemo.
- VirtualBox (VMs created with version 4.2.16)
- 2 Android smartphones (minimum Android version 4.0)
- Wifi access point or hostapd capable Wifi card
The demonstration environment contains 2 IP networks:
The VirtualBox VMs are already preconfigured for these IP networks. You have to
assign IP addresses for the smartphones:
- Smartphone 1 “BYOD smartphone”:
- Smartphone 2 “admin smartphone”:
10.0.1.114 (to keep the demonstration simple we let the
admin smartphone access the demo-internal VM via the external network)
Testing the network configuration
Now you should check the network configuration:
- From the demo-gateway VM try to ping
- From the demo-gateway VM try to ping
- From the demo-internal VM try to ping
If these ping test are successful you should be ready to proceed with the configuration.
Enable IP forwarding on the demo-gateway VM:
demo@demo-gateway:~$ sudo -s
demo@demo-gateway:~# echo "1" > /proc/sys/net/ipv4/ip_forward
Configuration for the BYOD smartphone:
- Import the demo CA certificate into
the certificate store on the BYOD smartphone.
- Install the strongSwan VPN Client
from the Google Play store and add a new VPN profile:
- Profile Name: 10.0.1.1
- Gateway: 10.0.1.1
- Type: IKEv2 EAP-TNC (Username/Password)
- Username: demo
- Password: demo
- CA certificate: HSR demo CA
- Install the DECOIT Android-IF-MAP-Client
and configure it as follows:
- [ ] Enable auto-start
- [ ] Enable auto-connect
- [x] Enable session-retry
- [ ] Enable caching
- [x] Enable auto-update
- [x] Use Esukom-Metadata
- [ ] Dont send app infos
- [x] Dont send google-apps infos
- Auto-Update Interval = 60000
- Retry-Session-Interval = 30000
- Server IP-Address = 192.168.5.3
- Server Port-Number = 8443
- [x] Basic Authentication
- Username = sensor
- Password = sensor
- [x] Connection type
- Renew-Request Interval = 12000
- [x] allow unsafe SSL
- [ ] Enable Location-Tracking
- [ ] Log to file
- [x] Enable new/end-session log
- [ ] Enable renew-session logging
- [x] Enable auto-update logging
- [x] Enable publish-characteristic
- [x] Enable error-message logging
- [x] Enable invalid-response log
Configuration for the admin smartphone:
Running the demo
Step 1: Starting Components
Start irond with the Oracle JRE:
demo@demo-internal:~$ export PATH=/home/demo/jre1.7.0_51/bin:$PATH
demo@demo-internal:~$ cd bin/irond-0.4.0
demo@demo-internal:~$ cd irondhcp-0.3.2
demo@demo-internal:~/irondhcp-0.3.2$ java -jar irondhcp.jar
demo@demo-internal:~$ cd irondetect-0.0.5
demo@demo-gateway:~$ sudo ipsec start
ironcontrol on the admin smartphone:
- Create a new connection to the MAPS running on
- Create a new subscription starting with the device identifier “strongswan”.
- Enable notifications for new poll results.
DECOIT Android-IF-MAP-Client on the BYOD smartphone:
- Start a new IF-MAP session. The smartphone can not access the internal network
and should try to establish a new MAPS connection periodically.
Use irongui to observe the content of the MAPS.
For a subscription use the device identifier “strongswan” as the start identifier.
Step 2: VPN connecting with the BYOD smartphone
- Connect the BYOD smartphone to the VPN by activating the
- See how new metadata about the new VPN connection, including IP/MAC addresses and
usernames get published to the MAPS.
- After a short timeout the DECOIT Android-IF-MAP-Client establishes a new SSRC connection
to the MAPS and begins to publish feature metadata about the smartphone (containing information
about installed apps).
Step 3: Installing suspicious app
- Now, install the SuspiciousApp.apk on the BYOD smartphone.
- The app requests a set of “suspicious” permissions.
- The DECOIT Android-IF-MAP-Client should pick up the information about the new app and send
updated metadata to the MAPS.
- irondetect evaluates the new information and finds the BYOD smartphone violating the
policy defined in
$HOME/irondetect-0.0.5/policy/demo.pol. irondetect now publishes
metadata representing an alarm notification.
- The admin smartphone should receive the alarm metadata.
If you have any questions, problems or comments, please contact