euro mgov securing mobile services
Post on 09-May-2015
748 Views
Preview:
DESCRIPTION
TRANSCRIPT
Securing Mobile Services
Miguel Ponce de Leon, John Ronan, Jimmy McGibney
Telecommunications Software & Systems GroupWaterford Institute of Technology
Ireland
jmcgibney@tssg.org
Security for the pervasive computing world
Contents
> Threats to Mobile Networks & Services
> SEINIT approach
> Building a “smart” wireless access point> Embedded intrusion detection & honeypot
Security – a difficult problem
• Internet access is easy and cheap (and fairly anonymous)
• Lack of policy and implementation of policy
• Complexity & Scale of systems
• Technology weaknesses– Tendency to develop first & add security afterwards
• Domination by small number of OSs & apps– Find a Windows bug and you have millions of sitting targets
– Rapid dissemination of exploits among attackers
• Lack of education of users
• User mobility
• Hard to verify security– "If it is provably secure, it is probably not“, L.R. Knudsen
m-Government Security
• Very strong requirements for:– Privacy– Anonymity (in some cases)– Authentication– Integrity– Availability (critical infrastructures…)
• As well as:– Usability– Ubiquity– Low cost (for citizens)– Verification & audit– Diverse & “lowest common denominator” technology on user side
General threats & vulnerabilities
• OS vulnerabilities
• Application vulnerabilities
• Protocol weaknesses
• Sniffing on network
• Keystroke logging
• Password cracking
• Malware – viruses, worms, Trojan horses
• Social Engineering
• Non-technological– Loss of key personnel, loss of power, lightning, fire, flood, software
bugs, vendor bankruptcy, labour unrest, …
• Eavesdropping by a third party– Electromagnetic spectrum is available to all
– Often weak or no encryption
• Bogus user– Poor user authentication with WiFi; SIM cloning; stolen phones
• Bogus network– Base station or access point presenting itself as network to the user,
for example to collect user data
• Denial of service– Deliberate jamming of wireless signal
– Or unintentionally – network congestion, large congregations of users (e.g. at sports event), large downloads hogging bandwidth, etc.
Specific Threats to Mobile Services
• See www.worldwidewardrive.org
• Results:– 228,537 access points found– 82,755 (35%) with default SSID– 140,890 (60%) with open system authentication (no key needed)– 62,859 (28%) with both – i.e. no security
Worldwide War Drive 2004
Some tips for wireless LAN security
• Treat wireless as untrusted– Similar to public Internet– Firewall, etc, between WLAN and rest of network
• Use higher-layer security– e.g. VPN from station to Internet
• Check for unauthorised access points
• Audit authorised access points– Make difficult to access from outside– Use directional antenna to “point” radio signal
• Protect stations using personal firewalls and intrusion detection
SEINIT Project
• Security Expert Initiative
• European Union 6th Framework IST Programme
• Objective: “Provide a trusted and dependable security framework, ubiquitous, working across multiple devices, heterogeneous networks, organisation independent and centred around an end-user”
Security for the pervasive computing world
SEINIT: conceptual approach
• Virtualisation of security
• mGovernment => Government “virtually” anywhere
• How to secure virtual entities?– services, etc, that are user centred
– devices and network almost irrelevant
} Classical security just looks at these layers
SEINIT: conceptual approach
Space / Geography
Inst
anti
atio
n
Time
UMTS Internet Wi-FiBluetoothBluetoothIn
terf
ace
Inte
rfac
e
Inte
rfac
e
VirtualVirtual
LogicalLogical Logical
SEINIT: conceptual approach
• Infosphere– Digital space linked more to individual or organisation than to
devices or infrastructure– Not necessarily under control of user– Virtual
• Security Domain– Controlled by individual
or organisation – Logical
Infospheres
SecurityDomains
Alice’spersonaldata
CybercafeAlice’soffice
Alice’sBank
Alice’s ISPAlice’sTelecomoperator
Software company– e.g. Microsoft
SEINIT: conceptual approach
• “Ambience” discovery– To secure mobile, virtual world, context is everything– Threat level may depend on:
• Location
• Environment (neighbours, etc)
• Real-time threats
– IDS & Honeypots provide part of this
Embedding IDS and Dynamic Honeypot capabilities on a
WLAN Access Point
SEINIT work in progress
• Monitors activity on host or network & raises alerts
• Rules-based detection (most common)– Based on known attacks
• Statistical anomaly detection– Tends to produce too many false alarms
Intrusion Detection System (IDS)
• Definition– “A resource whose value lies in being probed, attacked or
compromised”
• System or component with no real-world value, set up to lure attackers
• By definition, all activity on a honeypot is highly suspect– Can catch new attacks– Few false alarms
Honeypot
– Common components• Data collection• Analysis and decision algorithm• Action module
– Main differences• Honeypot must be used to be
effective• IDS operate continuously on
the data flow
– They are complementary:• IDS can provide information even if the honeypot is not the
target of attacks.• When used the honeypot provides more accurate and valuable
information.
Combining IDS and Honeypots
Collaboration and “reputation”
– A network of collaborative access points
– Exchange security information through a common vehicle
– Compute a “level of trust” for each host
Collaboration and “reputation”
Sensors Alert Analysis Action engine Collaboration Data control
Architecture5 main components
Sensors Collect the data needed to
detect malicious activity and provide low-level alerts for aggregation and correlation.
Architecture5 main components
Architecture5 main components
Alert Analysis Engine Performs a high degree of
correlation of various alerts (from sensors and other APs) in order to manage a level of trust for each host.
Architecture5 main components
Action Engine Manages various actions from
sending an alert to triggering a new rule in a firewall. Plugins framework to manage various actions.
Architecture5 main components
Collaboration Engine Responsible for collaboration
with other APs, including AP authentication, etc.
Architecture5 main components
Data Control Protects AP against threats
(DoS, intrusion, IDS evasion, …).
– CqureAP• a 802.11 wireless AP
that runs on linux
– Prelude-IDS• Our core framework:
an hybrid IDS
– Snort• Used as a nids and a
wireless sensor
– Honeyd• Used to provide various
honeypot services
ImplementationUse available components
SEINIT: other activities
• Trials of– Mobile IPv6
• Concept of return routeability
– IPv6 address autoconfiguration• To provide privacy (avoid having static IP address derived from
MAC)
– Cryptographically Generated Addresses (CGA)• Secure association of IPv6 address with a public key
– Extensible Authentication Protocol (EAP)• Flexible authentication framework running on top of link layer
– Protocol for Carrying Authentication and Network Access (PANA)• Link layer agnostic transport for EAP authentication info
– DNSsec• Secure DNS
top related