Open Source Tools Demonstration at RSA Conference 2014

This document describes the detailed setup and execution steps for our demonstration environment, which we showed at the TCG Association Seminar at RSA Conference 2014 in San Francisco. The demonstration scenario integrates the strongSwan VPN solution, developed by the University of Applied Sciences in Rapperswil (Switzerland), with several iron* tools by the Trust@HsH research group at the University of Applied Sciences and Arts in Hanover (Germany), and the Android-IF-MAP-Client by DECOIT GmbH, a SME company from Bremen (Germany).

For a short overview of the demonstration see our demonstation description (html | pdf).

Hint: If you just want to play around with our iron* tools and IF-MAP we recommend to use our demonstration and simulation environment irondemo.

Demo setup

Requirements

• VirtualBox (VMs created with version 4.2.16)
• 2 Android smartphones (minimum Android version 4.0)
• Wifi access point or hostapd capable Wifi card

Downloads

• demo-gateway VM
  • Username: demo
  • Password: demo
  • SHA1SUM: bc6df704a99996f4983708da16660af6073a1ee3
• demo-internal VM
  • Username: demo
  • Password: demo
  • SHA1SUM: a62632973f7dfcc67d163800345b7107df493f05
• de.esukom.decoit.android.ifmapclient-0.1.6.2.apk (src)
• ironcontrol-for-Android.v.1.0.-.beta.apk (src)
• SuspiciousApp.apk (src)
• demo CA certificate

Network configuration

The demonstration environment contains 2 IP networks:

• 10.0.1.0/24 (external network)

• 192.168.5.0/24 (internal network) The VirtualBox VMs should have the following network interfaces configured:

• demo-gateway:
  • Adapter 1: NAT
  • Adapter 2: internal network “demo-internal”
  • Adapter 3: network brigde to the interface which is connected to the Wifi
• demo-internal:
  • Adapter 1: NAT
  • Adapter 2: internal network “demo-internal”
  • Adapter 3: network bridge to the interface which is connected to the Wifi

The VirtualBox VMs are already preconfigured for these IP networks. You have to assign IP addresses for the smartphones:

• Smartphone 1 “BYOD smartphone”: 10.0.1.111
• Smartphone 2 “admin smartphone”: 10.0.1.114 (to keep the demonstration simple we let the admin smartphone access the demo-internal VM via the external network)

Testing the network configuration

Now you should check the network configuration:

1. From the demo-gateway VM try to ping 10.0.1.111.
2. From the demo-gateway VM try to ping 192.168.5.3.
3. From the demo-internal VM try to ping 10.0.1.114.

If these ping test are successful you should be ready to proceed with the configuration.

Configuration

1. Enable IP forwarding on the demo-gateway VM:

    demo@demo-gateway:~$ sudo -s
    demo@demo-gateway:~# echo "1" > /proc/sys/net/ipv4/ip_forward
   

2. Configuration for the BYOD smartphone:

   • Import the demo CA certificate into the certificate store on the BYOD smartphone.
   • Install the strongSwan VPN Client from the Google Play store and add a new VPN profile:
     • Profile Name: 10.0.1.1
     • Gateway: 10.0.1.1
     • Type: IKEv2 EAP-TNC (Username/Password)
     • Username: demo
     • Password: demo
     • CA certificate: HSR demo CA
   • Install the DECOIT Android-IF-MAP-Client and configure it as follows:
     • [ ] Enable auto-start
     • [ ] Enable auto-connect
     • [x] Enable session-retry
     • [ ] Enable caching
     • [x] Enable auto-update
     • [x] Use Esukom-Metadata
     • [ ] Dont send app infos
     • [x] Dont send google-apps infos
     • Auto-Update Interval = 60000
     • Retry-Session-Interval = 30000
     • Server IP-Address = 192.168.5.3
     • Server Port-Number = 8443
     • [x] Basic Authentication
     • Username = sensor
     • Password = sensor
     • [x] Connection type
     • Renew-Request Interval = 12000
     • [x] allow unsafe SSL
     • [ ] Enable Location-Tracking
     • [ ] Log to file
     • [x] Enable new/end-session log
     • [ ] Enable renew-session logging
     • [x] Enable auto-update logging
     • [x] Enable publish-characteristic
     • [x] Enable error-message logging
     • [x] Enable invalid-response log

3. Configuration for the admin smartphone:

   • Install ironcontrol.

Running the demo

Step 1: Starting Components

• demo-internal:

  1. Start irond with the Oracle JRE:

      demo@demo-internal:~$ export PATH=/home/demo/jre1.7.0_51/bin:$PATH
      demo@demo-internal:~$ cd bin/irond-0.4.0
      demo@demo-internal:~/bin/irond-0.4.0$ ./start.sh
     

  2. Start irondhcp:

      demo@demo-internal:~$ cd irondhcp-0.3.2
      demo@demo-internal:~/irondhcp-0.3.2$ java -jar irondhcp.jar
     

  3. Start irondetect:

      demo@demo-internal:~$ cd irondetect-0.0.5
      demo@demo-internal:~/irondetect-0.0.5$ ./start.sh
     

• demo-gateway:

  1. Start strongSwan:

      demo@demo-gateway:~$ sudo ipsec start
     

• ironcontrol on the admin smartphone:

  1. Create a new connection to the MAPS running on 10.0.1.21:8443.
  2. Create a new subscription starting with the device identifier “strongswan”.
  3. Enable notifications for new poll results.

• DECOIT Android-IF-MAP-Client on the BYOD smartphone:

  1. Start a new IF-MAP session. The smartphone can not access the internal network and should try to establish a new MAPS connection periodically.

• Use irongui to observe the content of the MAPS. For a subscription use the device identifier “strongswan” as the start identifier.

Step 2: VPN connecting with the BYOD smartphone

1. Connect the BYOD smartphone to the VPN by activating the 10.0.1.1 profile.
2. See how new metadata about the new VPN connection, including IP/MAC addresses and usernames get published to the MAPS.
3. After a short timeout the DECOIT Android-IF-MAP-Client establishes a new SSRC connection to the MAPS and begins to publish feature metadata about the smartphone (containing information about installed apps).

Step 3: Installing suspicious app

1. Now, install the SuspiciousApp.apk on the BYOD smartphone.
2. The app requests a set of “suspicious” permissions.
3. The DECOIT Android-IF-MAP-Client should pick up the information about the new app and send updated metadata to the MAPS.
4. irondetect evaluates the new information and finds the BYOD smartphone violating the policy defined in $HOME/irondetect-0.0.5/policy/demo.pol. irondetect now publishes metadata representing an alarm notification.
5. The admin smartphone should receive the alarm metadata.

Feedback

If you have any questions, problems or comments, please contact trust-at-hsh@listserv.dfn.de