Download - Mobile Device Security
![Page 2: Mobile Device Security](https://reader035.vdocument.in/reader035/viewer/2022062613/54563278af795917618b97fc/html5/thumbnails/2.jpg)
But just what is mobility ?But just what is mobility ?Devices:
• Mobility = Mobile phones?• Mobility = Smart phones?• Mobility = PDAs ?
Wireless:• Mobility = Wireless LANs?• Mobility = GSM/GPRS?
Applications:• Mobility = Form-factor adaptation?• Mobility = Synchronisation?
![Page 3: Mobile Device Security](https://reader035.vdocument.in/reader035/viewer/2022062613/54563278af795917618b97fc/html5/thumbnails/3.jpg)
Mobility: Challenges
![Page 4: Mobile Device Security](https://reader035.vdocument.in/reader035/viewer/2022062613/54563278af795917618b97fc/html5/thumbnails/4.jpg)
Where is confidential data most vulnerable?
Source: ESG Research ReportSource: ESG Research Report
![Page 5: Mobile Device Security](https://reader035.vdocument.in/reader035/viewer/2022062613/54563278af795917618b97fc/html5/thumbnails/5.jpg)
management
Facets of Mobile Security
devicesdevices
airtransmissions
PANLANWAN
airtransmissions
PANLANWAN
publicnetworkspublicnetworks
private networksprivate networks
applications
mobility wireless traditional security
11 22
3 VPN3 VPN
44
![Page 6: Mobile Device Security](https://reader035.vdocument.in/reader035/viewer/2022062613/54563278af795917618b97fc/html5/thumbnails/6.jpg)
Agenda1. Mobile devices2. Air interfaces
• Bluetooth, 802.11b, WWAN3. Remote Access
• Tunnels (VPNs), Roaming4. Perimeter Security
• Compartmentalization, Access Controls
11 22
3 3
44
![Page 7: Mobile Device Security](https://reader035.vdocument.in/reader035/viewer/2022062613/54563278af795917618b97fc/html5/thumbnails/7.jpg)
Device Security
(Windows Mobile)
![Page 8: Mobile Device Security](https://reader035.vdocument.in/reader035/viewer/2022062613/54563278af795917618b97fc/html5/thumbnails/8.jpg)
Threats to Mobile Devices
• Stolen information● Host intrusion, stolen device
• Unauthorized network/application access● Compromised credentials, host intrusion
• Virus propagation● Virus susceptibility
• Lost information● Lost, stolen or damaged device
Source: Trend Micro
![Page 9: Mobile Device Security](https://reader035.vdocument.in/reader035/viewer/2022062613/54563278af795917618b97fc/html5/thumbnails/9.jpg)
Windows Mobile Content ProtectionAccess Control Approaches• Simple Lock-out• Encryption
● Private key storage?● Smartcard / TPM● Hash private key (dictionary attack)
• Couple with strong password policies
• Prevent insecure boot● Analogous to BIOS password and Drivelock
• Choice depends on● Sensitivity of data● Sustainable impact on usability and performance● Trust in user password selection
![Page 10: Mobile Device Security](https://reader035.vdocument.in/reader035/viewer/2022062613/54563278af795917618b97fc/html5/thumbnails/10.jpg)
iPAQ Content ProtectionAccess Control Solutions
• Native Pocket PC
• Biometric Authentication
• HP ProtectTools
• Pointsec
• Credant
• TrustDigital
• Utimaco
• Bluefire
![Page 11: Mobile Device Security](https://reader035.vdocument.in/reader035/viewer/2022062613/54563278af795917618b97fc/html5/thumbnails/11.jpg)
Enterprise Requirements
• Integrated Management Console● Directory (AD/LDAP) integration
• Centralized Policies● Policy polling● User cannot remove● Screen-lock / Idle-lock
![Page 12: Mobile Device Security](https://reader035.vdocument.in/reader035/viewer/2022062613/54563278af795917618b97fc/html5/thumbnails/12.jpg)
Air Interfaces:Bluetooth
![Page 13: Mobile Device Security](https://reader035.vdocument.in/reader035/viewer/2022062613/54563278af795917618b97fc/html5/thumbnails/13.jpg)
Pairing & AuthenticationPairing
Access to both devices
Manual input of security code
No need to store or remember
Based on stored keysNo user intervention
Authentication
![Page 14: Mobile Device Security](https://reader035.vdocument.in/reader035/viewer/2022062613/54563278af795917618b97fc/html5/thumbnails/14.jpg)
Bluetooth Security
• Acceptable Security Algorithms● Initialization● Authentication● Encryption
• Prevention of● Discoverability, Connectability and Pairing
• Proximity Requirement
KADA
B
C
D
MKMC
KMAKMD
KMB
![Page 15: Mobile Device Security](https://reader035.vdocument.in/reader035/viewer/2022062613/54563278af795917618b97fc/html5/thumbnails/15.jpg)
Multi-tiered security
![Page 16: Mobile Device Security](https://reader035.vdocument.in/reader035/viewer/2022062613/54563278af795917618b97fc/html5/thumbnails/16.jpg)
• PIN Attack● Often hard-coded● Usually short (4-digit)
• Bluejacking
• Bluesnarfing
• Virus Propagation
Centralized Policy Management is critical in the Enterprise !!
Bluetooth vulnerability
![Page 17: Mobile Device Security](https://reader035.vdocument.in/reader035/viewer/2022062613/54563278af795917618b97fc/html5/thumbnails/17.jpg)
Air Interfaces:WLAN
![Page 18: Mobile Device Security](https://reader035.vdocument.in/reader035/viewer/2022062613/54563278af795917618b97fc/html5/thumbnails/18.jpg)
SSID
MAC Filter
WEP
WPA/802.11i
Needs determine security
![Page 19: Mobile Device Security](https://reader035.vdocument.in/reader035/viewer/2022062613/54563278af795917618b97fc/html5/thumbnails/19.jpg)
• Requires management of authorized MAC addresses
• LAA (Locally Administered Address) can override UAA (Universally Administered Address)
MAC Filters
![Page 20: Mobile Device Security](https://reader035.vdocument.in/reader035/viewer/2022062613/54563278af795917618b97fc/html5/thumbnails/20.jpg)
Equipment of a Wi-Fi freeloader• Mobile device
● Linux● Windows● Pocket PC
• Wireless card● Orinoco card● Prism 2 card
• Driver for promiscuous mode
• Cantenna and wireless MMCX to N type cable
![Page 21: Mobile Device Security](https://reader035.vdocument.in/reader035/viewer/2022062613/54563278af795917618b97fc/html5/thumbnails/21.jpg)
Increasing the transmission range
200 km
DEFCON 2005WiFi Shootout
•Large dishes
•High power levels
•Line-of-sight
![Page 22: Mobile Device Security](https://reader035.vdocument.in/reader035/viewer/2022062613/54563278af795917618b97fc/html5/thumbnails/22.jpg)
Bringing the “War” to War Driving
![Page 23: Mobile Device Security](https://reader035.vdocument.in/reader035/viewer/2022062613/54563278af795917618b97fc/html5/thumbnails/23.jpg)
Tools• NetStumbler—access point reconnaissance
● http://www.netstumbler.com
• WEPCrack—breaks 802.11 keys● http://wepcrack.sourceforge.net/
• AirSnort—breaks 802.11 keys● Needs only 5-10 million packets● http://airsnort.shmoo.com/
• chopper ● Released August 2004● Reduces number of necessary packets to 200-500 thousand
Aircrack, Airopeek, Airsnare, Airmagnet, Airjack, Aerosol, Kismet, Packetyzer, NAI Sniffer, Retina WiFi Scanner…
![Page 24: Mobile Device Security](https://reader035.vdocument.in/reader035/viewer/2022062613/54563278af795917618b97fc/html5/thumbnails/24.jpg)
Ten-minute WEP crack
• Kismet● reconnaissance
• Airodump● WEP cracking
• Void11● deauth attack
• Aireplay● replay attack
Source: tom’s networking
![Page 25: Mobile Device Security](https://reader035.vdocument.in/reader035/viewer/2022062613/54563278af795917618b97fc/html5/thumbnails/25.jpg)
Wireless LAN security evolution
1999 2003 2005+
WEPWEP
WPAWPA
802.11i /WPA2802.11i /WPA2
Timeline
Privacy: 40 bit RC4 with 24 bit IV
Auth: SSID and Shared key
Integrity: CRC
Privacy: Per packet keying (RC4) with 48 bit IV
Auth: 802.1x+ EAP
Integrity: MIC Privacy: AES
Auth: 802.1x+ EAP
Integrity: MIC
Secu
rity
![Page 26: Mobile Device Security](https://reader035.vdocument.in/reader035/viewer/2022062613/54563278af795917618b97fc/html5/thumbnails/26.jpg)
• Ratified June 2004• AES selected by National Institute of Standards
and Technology (NIST) as replacement for DES● Symmetric-key block cipher● Computationally efficient● Can use large keys (> 1024 bits)
• Cipher Block Chaining Message Authentication Code (CBC-MAC or CCMP) complements TKIP● RFC 3610
• May require equipment upgrades● Some WPA implementations already support AES
• Update for Windows XP (KB893357)
802.11i / WPA2
![Page 27: Mobile Device Security](https://reader035.vdocument.in/reader035/viewer/2022062613/54563278af795917618b97fc/html5/thumbnails/27.jpg)
IEEE 802.1x Explanation
Supplicant Authentication Server
Authenticator
• Restricts physical access to the WLAN
• Can use existing authentication system
Client Access Point RADIUS Server
RADIUS802.1xEAP EAP
TKIP / MIC
![Page 28: Mobile Device Security](https://reader035.vdocument.in/reader035/viewer/2022062613/54563278af795917618b97fc/html5/thumbnails/28.jpg)
WiFi Protect Access (WPA)
• Temporal Key Integrity Protocol● Fast/Per packet keying, Message Integrity Check
• WPA-Personal• WPA-Enterprise
![Page 29: Mobile Device Security](https://reader035.vdocument.in/reader035/viewer/2022062613/54563278af795917618b97fc/html5/thumbnails/29.jpg)
Enterprise WLAN Security Options
• WPA – Enterprise● Transition to 802.11i● Requires WPA-compliant APs and NICs
• VPN Overlay● Performance overhead (20-30%)● VPN Concentrator required
• RBAC● Additional appliance and infrastructure● Most refined access
Home WLAN: WEP/WPA key rotation, firewall, intrusion detection
Public WLAN: MAC address filter, secure billing, VPN passthrough
![Page 30: Mobile Device Security](https://reader035.vdocument.in/reader035/viewer/2022062613/54563278af795917618b97fc/html5/thumbnails/30.jpg)
Rogue and Decoy Access Points
• Highest risk when WLANs are NOT implemented● Usually completely unsecured● Connected by naïve
(rather than malicious) users
• Intrusion Detection Products ● Manual, Sensors, Infrastructure
• Multi-layer perimeters● 802.1x● RBAC, VPN
• Decoys can be counteractedwith automated configuration
InternetIntranetAccess
![Page 31: Mobile Device Security](https://reader035.vdocument.in/reader035/viewer/2022062613/54563278af795917618b97fc/html5/thumbnails/31.jpg)
Air Interfaces:WWAN
![Page 32: Mobile Device Security](https://reader035.vdocument.in/reader035/viewer/2022062613/54563278af795917618b97fc/html5/thumbnails/32.jpg)
Wireless WAN (Wide Area Network)
● GSM, GPRS, HSCSD, EDGE, UMTS, HSDPA
● CDMA 1XRTT, EV-DO,EV-DV, 3X
● 802.16, 802.20● 2G -> 2.5G -> 3G -> 4G● Bandwidth 9.6kbps - 2Mbps+● Large geographical coverage ● International coverage
through roaming
GPRS phone
GPRS iPAQ
e-mailpager
GSM/GPRSPC card
http://h18004.www1.hp.com/products/wireless/wwan/WWAN-Security.pdf
![Page 33: Mobile Device Security](https://reader035.vdocument.in/reader035/viewer/2022062613/54563278af795917618b97fc/html5/thumbnails/33.jpg)
Multiple interfaces maximize flexibility
1
1 2
24 PAN Zone
WLAN Zone
3G ZoneGPRS Zone
Surfing: Person 1 improves bandwidth by moving into a 3G area
MP3 Download: Person 2 saves time and money by scheduling the download in a public WLAN hotspot
Peer-to-peer: Person 3 sends an MP3 file over a Bluetooth link free of charge to Person 4
3
SatelliteZone
At sea: Person 5 maintains coverage via satellite after leaving GPRS range
55
Columbitech
Birdstep
Ecutel
![Page 34: Mobile Device Security](https://reader035.vdocument.in/reader035/viewer/2022062613/54563278af795917618b97fc/html5/thumbnails/34.jpg)
Unauthorized Wireless Bridge
Private LAN
Public Network
![Page 35: Mobile Device Security](https://reader035.vdocument.in/reader035/viewer/2022062613/54563278af795917618b97fc/html5/thumbnails/35.jpg)
Perimeter Security
![Page 36: Mobile Device Security](https://reader035.vdocument.in/reader035/viewer/2022062613/54563278af795917618b97fc/html5/thumbnails/36.jpg)
• Restricted Network Access
• Role-based Access Control
• Network Compartmentalization
Perimeter Evolution
RoleScheduleLocation
User AccessControl
IP Address PortTimeVLAN
![Page 37: Mobile Device Security](https://reader035.vdocument.in/reader035/viewer/2022062613/54563278af795917618b97fc/html5/thumbnails/37.jpg)
Credant OTA Sync Control
Exchange 2003
Local
ActiveSync
HANDHELD
Gatekeeper
Local Gatekeeper can
detect devices which sync
via local connection
Internet
Server
ActiveSync
Exchange Server
App Servers
OTA Sync
Control
OTA Sync Control detects
devices which sync via
Server Activesync.
Based on ISAPI extension
Provides automatic network detection and remediation of mobile devices attempting to synchronize with Microsoft Exchange
![Page 38: Mobile Device Security](https://reader035.vdocument.in/reader035/viewer/2022062613/54563278af795917618b97fc/html5/thumbnails/38.jpg)
Trust DigitalMobile Edge Perimeter Security
• Wireless Provisioning Portal ● Device and user registration integrated with enterprise use
policy acceptance ● Over-the-air (OTA) delivery of Trust Digital software and policy
• Advanced Features ● Asset, activity, and compliance reporting ● Help Desk functionality including self-service portal
• Network Admission Control ● Ensures security/compliance of end-user device ● Interrogates devices before allowing access ● Integrated with Microsoft ISA Server
![Page 39: Mobile Device Security](https://reader035.vdocument.in/reader035/viewer/2022062613/54563278af795917618b97fc/html5/thumbnails/39.jpg)
SMS
TCP/IP
WW Wireless Operator Networks
HP Enterprise Devices
SMS
TCP/IP
HP Enterprise Mobility Suite
HP Worldwide Hosting Facilities
Enterprise
HTTPS
Internet
HTTPS
• Device Support• S/W Maintenance• WW Network Support
FusionDM for Enterprise
• Device Troubleshooting• Device Security• Policy Mgmt• Asset Mgmt• IT Dash Board
• Exchange®• Domino®• Groupwise®
• Corporate Directory• Active Directory ®
• Intranet• CRM• Application Portal
Existing IT Systems
HTTPS
FOR ENTERPRISE
Leading OEM Device Manufacturers
![Page 40: Mobile Device Security](https://reader035.vdocument.in/reader035/viewer/2022062613/54563278af795917618b97fc/html5/thumbnails/40.jpg)
Mobile Device Security Management
• Provisioning security tools
• Policy enforcement● Passwords● Device lock● Policy updates
• User support● Device lockout● Backup/restore
Security
Usability
![Page 41: Mobile Device Security](https://reader035.vdocument.in/reader035/viewer/2022062613/54563278af795917618b97fc/html5/thumbnails/41.jpg)
Summary• Security concerns are the greatest inhibitor to
mobility● Wireless networks and devices introduce new risks● Some mobile security (e.g. WLAN) has been
inadequate● The industry has since recognized and addressed the
main threats
• The enterprise challenge:● Systematically reassess security architecture● Standardize on security configuration● Ensure user compliance through automation and policy
enforcement
![Page 43: Mobile Device Security](https://reader035.vdocument.in/reader035/viewer/2022062613/54563278af795917618b97fc/html5/thumbnails/43.jpg)
Your Feedback is Important
Please fill out a session evaluation form and either put them in the basket near
the exit or drop them off at the conference registration desk.
Thank you!