mobile device security
DESCRIPTION
Microsoft ExchangeConnections, Orlando, 2008TRANSCRIPT
But just what is mobility ?But just what is mobility ?Devices:
• Mobility = Mobile phones?• Mobility = Smart phones?• Mobility = PDAs ?
Wireless:• Mobility = Wireless LANs?• Mobility = GSM/GPRS?
Applications:• Mobility = Form-factor adaptation?• Mobility = Synchronisation?
Mobility: Challenges
Where is confidential data most vulnerable?
Source: ESG Research ReportSource: ESG Research Report
management
Facets of Mobile Security
devicesdevices
airtransmissions
PANLANWAN
airtransmissions
PANLANWAN
publicnetworkspublicnetworks
private networksprivate networks
applications
mobility wireless traditional security
11 22
3 VPN3 VPN
44
Agenda1. Mobile devices2. Air interfaces
• Bluetooth, 802.11b, WWAN3. Remote Access
• Tunnels (VPNs), Roaming4. Perimeter Security
• Compartmentalization, Access Controls
11 22
3 3
44
Device Security
(Windows Mobile)
Threats to Mobile Devices
• Stolen information● Host intrusion, stolen device
• Unauthorized network/application access● Compromised credentials, host intrusion
• Virus propagation● Virus susceptibility
• Lost information● Lost, stolen or damaged device
Source: Trend Micro
Windows Mobile Content ProtectionAccess Control Approaches• Simple Lock-out• Encryption
● Private key storage?● Smartcard / TPM● Hash private key (dictionary attack)
• Couple with strong password policies
• Prevent insecure boot● Analogous to BIOS password and Drivelock
• Choice depends on● Sensitivity of data● Sustainable impact on usability and performance● Trust in user password selection
iPAQ Content ProtectionAccess Control Solutions
• Native Pocket PC
• Biometric Authentication
• HP ProtectTools
• Pointsec
• Credant
• TrustDigital
• Utimaco
• Bluefire
Enterprise Requirements
• Integrated Management Console● Directory (AD/LDAP) integration
• Centralized Policies● Policy polling● User cannot remove● Screen-lock / Idle-lock
Air Interfaces:Bluetooth
Pairing & AuthenticationPairing
Access to both devices
Manual input of security code
No need to store or remember
Based on stored keysNo user intervention
Authentication
Bluetooth Security
• Acceptable Security Algorithms● Initialization● Authentication● Encryption
• Prevention of● Discoverability, Connectability and Pairing
• Proximity Requirement
KADA
B
C
D
MKMC
KMAKMD
KMB
Multi-tiered security
• PIN Attack● Often hard-coded● Usually short (4-digit)
• Bluejacking
• Bluesnarfing
• Virus Propagation
Centralized Policy Management is critical in the Enterprise !!
Bluetooth vulnerability
Air Interfaces:WLAN
SSID
MAC Filter
WEP
WPA/802.11i
Needs determine security
• Requires management of authorized MAC addresses
• LAA (Locally Administered Address) can override UAA (Universally Administered Address)
MAC Filters
Equipment of a Wi-Fi freeloader• Mobile device
● Linux● Windows● Pocket PC
• Wireless card● Orinoco card● Prism 2 card
• Driver for promiscuous mode
• Cantenna and wireless MMCX to N type cable
Increasing the transmission range
200 km
DEFCON 2005WiFi Shootout
•Large dishes
•High power levels
•Line-of-sight
Bringing the “War” to War Driving
Tools• NetStumbler—access point reconnaissance
● http://www.netstumbler.com
• WEPCrack—breaks 802.11 keys● http://wepcrack.sourceforge.net/
• AirSnort—breaks 802.11 keys● Needs only 5-10 million packets● http://airsnort.shmoo.com/
• chopper ● Released August 2004● Reduces number of necessary packets to 200-500 thousand
Aircrack, Airopeek, Airsnare, Airmagnet, Airjack, Aerosol, Kismet, Packetyzer, NAI Sniffer, Retina WiFi Scanner…
Ten-minute WEP crack
• Kismet● reconnaissance
• Airodump● WEP cracking
• Void11● deauth attack
• Aireplay● replay attack
Source: tom’s networking
Wireless LAN security evolution
1999 2003 2005+
WEPWEP
WPAWPA
802.11i /WPA2802.11i /WPA2
Timeline
Privacy: 40 bit RC4 with 24 bit IV
Auth: SSID and Shared key
Integrity: CRC
Privacy: Per packet keying (RC4) with 48 bit IV
Auth: 802.1x+ EAP
Integrity: MIC Privacy: AES
Auth: 802.1x+ EAP
Integrity: MIC
Secu
rity
• Ratified June 2004• AES selected by National Institute of Standards
and Technology (NIST) as replacement for DES● Symmetric-key block cipher● Computationally efficient● Can use large keys (> 1024 bits)
• Cipher Block Chaining Message Authentication Code (CBC-MAC or CCMP) complements TKIP● RFC 3610
• May require equipment upgrades● Some WPA implementations already support AES
• Update for Windows XP (KB893357)
802.11i / WPA2
IEEE 802.1x Explanation
Supplicant Authentication Server
Authenticator
• Restricts physical access to the WLAN
• Can use existing authentication system
Client Access Point RADIUS Server
RADIUS802.1xEAP EAP
TKIP / MIC
WiFi Protect Access (WPA)
• Temporal Key Integrity Protocol● Fast/Per packet keying, Message Integrity Check
• WPA-Personal• WPA-Enterprise
Enterprise WLAN Security Options
• WPA – Enterprise● Transition to 802.11i● Requires WPA-compliant APs and NICs
• VPN Overlay● Performance overhead (20-30%)● VPN Concentrator required
• RBAC● Additional appliance and infrastructure● Most refined access
Home WLAN: WEP/WPA key rotation, firewall, intrusion detection
Public WLAN: MAC address filter, secure billing, VPN passthrough
Rogue and Decoy Access Points
• Highest risk when WLANs are NOT implemented● Usually completely unsecured● Connected by naïve
(rather than malicious) users
• Intrusion Detection Products ● Manual, Sensors, Infrastructure
• Multi-layer perimeters● 802.1x● RBAC, VPN
• Decoys can be counteractedwith automated configuration
InternetIntranetAccess
Air Interfaces:WWAN
Wireless WAN (Wide Area Network)
● GSM, GPRS, HSCSD, EDGE, UMTS, HSDPA
● CDMA 1XRTT, EV-DO,EV-DV, 3X
● 802.16, 802.20● 2G -> 2.5G -> 3G -> 4G● Bandwidth 9.6kbps - 2Mbps+● Large geographical coverage ● International coverage
through roaming
GPRS phone
GPRS iPAQ
e-mailpager
GSM/GPRSPC card
http://h18004.www1.hp.com/products/wireless/wwan/WWAN-Security.pdf
Multiple interfaces maximize flexibility
1
1 2
24 PAN Zone
WLAN Zone
3G ZoneGPRS Zone
Surfing: Person 1 improves bandwidth by moving into a 3G area
MP3 Download: Person 2 saves time and money by scheduling the download in a public WLAN hotspot
Peer-to-peer: Person 3 sends an MP3 file over a Bluetooth link free of charge to Person 4
3
SatelliteZone
At sea: Person 5 maintains coverage via satellite after leaving GPRS range
55
Columbitech
Birdstep
Ecutel
Unauthorized Wireless Bridge
Private LAN
Public Network
Perimeter Security
• Restricted Network Access
• Role-based Access Control
• Network Compartmentalization
Perimeter Evolution
RoleScheduleLocation
User AccessControl
IP Address PortTimeVLAN
Credant OTA Sync Control
Exchange 2003
Local
ActiveSync
HANDHELD
Gatekeeper
Local Gatekeeper can
detect devices which sync
via local connection
Internet
Server
ActiveSync
Exchange Server
App Servers
OTA Sync
Control
OTA Sync Control detects
devices which sync via
Server Activesync.
Based on ISAPI extension
Provides automatic network detection and remediation of mobile devices attempting to synchronize with Microsoft Exchange
Trust DigitalMobile Edge Perimeter Security
• Wireless Provisioning Portal ● Device and user registration integrated with enterprise use
policy acceptance ● Over-the-air (OTA) delivery of Trust Digital software and policy
• Advanced Features ● Asset, activity, and compliance reporting ● Help Desk functionality including self-service portal
• Network Admission Control ● Ensures security/compliance of end-user device ● Interrogates devices before allowing access ● Integrated with Microsoft ISA Server
SMS
TCP/IP
WW Wireless Operator Networks
HP Enterprise Devices
SMS
TCP/IP
HP Enterprise Mobility Suite
HP Worldwide Hosting Facilities
Enterprise
HTTPS
Internet
HTTPS
• Device Support• S/W Maintenance• WW Network Support
FusionDM for Enterprise
• Device Troubleshooting• Device Security• Policy Mgmt• Asset Mgmt• IT Dash Board
• Exchange®• Domino®• Groupwise®
• Corporate Directory• Active Directory ®
• Intranet• CRM• Application Portal
Existing IT Systems
HTTPS
FOR ENTERPRISE
Leading OEM Device Manufacturers
Mobile Device Security Management
• Provisioning security tools
• Policy enforcement● Passwords● Device lock● Policy updates
• User support● Device lockout● Backup/restore
Security
Usability
Summary• Security concerns are the greatest inhibitor to
mobility● Wireless networks and devices introduce new risks● Some mobile security (e.g. WLAN) has been
inadequate● The industry has since recognized and addressed the
main threats
• The enterprise challenge:● Systematically reassess security architecture● Standardize on security configuration● Ensure user compliance through automation and policy
enforcement
Questions?
Contact me at: [email protected]
Your Feedback is Important
Please fill out a session evaluation form and either put them in the basket near
the exit or drop them off at the conference registration desk.
Thank you!