Operation Manual

ManualsBrandsCompaq ManualsComputersIpaq 3630 wireless security

White Paper

December 2001

Prepared by:

Access Business Group

Compaq Computer Corporation

Contents

Introduction................................. 3

Security in General..................... 3

Essential Elements of

Security..................................... 4

Security and the Pipe ................. 4

Device Security ......................... 5

Connectivity Technologies ........ 9

Access Points.......................... 24

Corporate Firewalls................. 27

Application and Data Servers.. 28

Conclusion................................ 29

Bibliography.............................. 30

Wireless Security

Abstract: People and corporations are using wireless technologies

at astonishing rates to take advantage of the benefits of wireless-

enabled productivity to gain and maintain a competitive edge.

Market researcher Cahners In-Stat estimates that 6.2 million wireless

devices will be shipped worldwide this year (2001), and double that

in two years.

This paper looks at the pieces of the “pipe” of access from the device

to the corporate firewall in an attempt to bring an awareness to both

the user and the corporate IT manager as to where the security

vulnerabilities lie and what can be done to improve security. Many

of the vulnerabilities can be alleviated easily by implementing

policies for users and adding security layers to the pipe. To put the

subject of wireless security into context, the paper is organized as

follows: First, securing wireless systems in general is discussed, then

securing each point along the access pipe is discussed.

Summary of content (30 pages)

PAGE 1
White Paper December 2001 Prepared by: Access Business Group Compaq Computer Corporation Contents Introduction................................. 3 Security in General ..................... 3 Essential Elements of Security ..................................... 4 Security and the Pipe ................. 4 Device Security ......................... 5 Connectivity Technologies ........ 9 Access Points.......................... 24 Corporate Firewalls ................. 27 Application and Data Servers..
PAGE 2
Wireless Security White Paper 2 Notice The information in this publication is subject to change without notice and is provided “AS IS” WITHOUT WARRANTY OF ANY KIND. THE ENTIRE RISK ARISING OUT OF THE USE OF THIS INFORMATION REMAINS WITH RECIPIENT.
PAGE 3
Wireless Security White Paper 3 Introduction Wireless networks connect computers in offices or homes to other computers, or to devices such as printers, by using radio or infrared signals instead of cables and jacks. Since wireless networks dispense with cables, users connected to wireless computer networks (or wirelessly connected to computer networks) can roam around with the machines they use to gain access to such networks. This ability to function in "untethered" mode is a great convenience.
PAGE 4
Wireless Security White Paper 4 Essential Elements of Security The essential elements of security as it applies to wireless networks are: • Privacy — assuring that only people who have permission to do so can view information and transactions. Privacy is preserved through a process that authorizes identified persons to see protected information and engage in transactions. Encryption is an important tool for preserving privacy.
PAGE 5
Wireless Security White Paper – 5 (This aspect of security is not covered in this paper, since securing data from unauthorized access behind the firewall is not a wireless security concern, but a wired one.) Figure 1 illustrates the pipe. Figure 1: The Network Pipe The vertical yellow lines in Figure 1 represent the pivotal points of data transfer. The horizontal lines represent data traveling from one place to the next either wired or wirelessly.
PAGE 6
Wireless Security White Paper 6 Moreover, workers are using notebook computers more and more as desktop machines while in the office, then taking them home at the end of the day to continue working. Because of their usefulness, companies deploy millions of notebook computers to their employees. Companies treat the devices as critical resources by defining usage and security policies and by instituting measures to protect the hardware and the data that the devices hold.
PAGE 7
Wireless Security White Paper 7 Available Device-specific Security Measures Many security measures are available for mobile access devices. Some of these are outlined in the subsections below. For various reasons they are often not fully implemented. Passwords Mobile devices, especially handhelds, have small user interfaces and keypads, leading many users to choose simpler passwords. For example, keypads that associate multiple letters with each key require repeated presses to type certain letters.
PAGE 8
Wireless Security White Paper 8 A concern with smart cards (and certain other encryption devices) is their vulnerability to power analysis attacks if they fall into the wrong hands. Such attacks involve device power measurements and their analysis while the smart card is in operation. Mathematical analysis of the differences in power consumption during different operations of the smart card can make possible the decryption of the smart card’s information.
PAGE 9
Wireless Security White Paper 9 Key features of F-Secure FileCrypto for PocketPC are the following: • Encrypts documents in selected folders on the fly • Strong real-time encryption with 128-bit Blowfish • Allows creation of user-specified encrypted folders • Supports removable media • Automatic installation through a host PC to the PDA device at next ActiveSync • Minimum length and character set of pass-phrase can be defined • ActiveSync protected by the same pass-phrase • Automatic encryp
PAGE 10
Wireless Security White Paper 10 • Individual users can connect between various personal devices wherever they are, such as from a cell phone to a handheld to a desktop computer without cables to synchronize data or gain access to a wireless connection. Wireless personal area networks (WPANs) facilitate such connections between devices. • External users increasingly want corporate connectivity anywhere at any time.
PAGE 11
Wireless Security White Paper Wireless Personal-area Networks Wireless personal-area networks (WPANs) can use Bluetooth, a radio frequency (RF) specification for point-to-multipoint voice and data transfer. They can also use infrared technology. A WPAN permits personal devices such as handheld PCs to connect wirelessly to peripheral devices such as printers or other personal devices. Figure 3 illustrates a WPAN.
PAGE 12
Wireless Security White Paper 12 Compaq provides turnkey solutions: clients with enabling technologies, airtime provided by carriers, area network coverage, and optimized features. Compaq WWANs using CDPD and GSM technologies are available now. WWAN via CDPD, for example, provides packet-switched connections to the Internet, Internet e-mail, enterprise intranet and corporate e-mail. Compaq offers an optimized MS Exchange e-mail solution with InfoWave. Nationwide (U.S.) coverage is available.
PAGE 13
Wireless Security White Paper 13 The discussion that follows concentrates on the segment of the network pipe in which information must travel over public highways and suffer the potential for exposure. Transmission via one of several connectivity technologies from the access device to the carrier (or WWAN access point) is dependent to a certain degree on the type of network used in WWAN connectivity.
PAGE 14
Wireless Security White Paper 14 Core elements of a PKI are: • Asymmetric keys • Digital certificates • Digital signatures The following paragraphs describe and illustrate these elements. A "key" is a numeric value of variable length that an encryption algorithm uses to convert unencrypted text into encrypted text. Public key cryptography uses a pair of asymmetric keys for encryption and decryption. An "asymmetric" key system uses a different key for encryption and decryption.
PAGE 15
Wireless Security White Paper 15 Digital Certificates Digital certificates are electronic files that can be used as unique identifiers for people and resources over networks. A digital certificate binds a user’s identity to a public key, thus establishing trust. Digital certificates can also be used to help secure confidential communication between two parties.
PAGE 16
Wireless Security White Paper 16 Digital Signatures Digital signatures are intended to be the legal equivalent of handwritten signatures. The signer generates a “hash value” or “digital fingerprint” of the document or message to be signed.4 The hash value is unique to the document or message. The hash value is then converted into a digital signature by the user’s private key. The digital signature is sent to the recipient for verification.
PAGE 17
Wireless Security White Paper 17 Virtual Private Networks Virtual Private Networks (VPNs), also known as "tunnels" and commonly used over the Internet for wired networks, can keep a wireless network hidden from prying eyes. Security experts recommend that companies use an additional authentication system such as a VPN before allowing data to cross from a wireless network to an intranet or other corporate system. VPNs have the following characteristics: • User Authentication.
PAGE 18
Wireless Security White Paper 18 Several VPN protocols are available. They include the Point-to-Point Tunneling Protocol (PPTP) from Microsoft, the Layer Two Tunneling Protocol (L2TP), the Layer Two Forwarding protocol (L2F) from Cisco Systems, and the Internet Protocol Security protocol (IPSec). The PPTP protocol lets corporations extend their corporate network through private "tunnels" over the public Internet.
PAGE 19
Wireless Security White Paper 19 The following VPN products, however, are available from third parties for the Compaq iPAQ Pocket PC: movianVPN by Certicom: • Based on IPSec • Uses Certicom ECC for IKE • Connects to back-end VPN products from: Alcatel, Check Point, Cisco, Intel, Nortel, Radguard, Symantec Check Point VPN Client: • In development • Not based on IPSec • Will support only Check Point VPN products VGate by V-One: • Works only with V-One VPN appliance gateway • Supports many str
PAGE 20
Wireless Security White Paper 20 Code Division Multiple Access (CDMA) and Time Division Multiple Access (TDMA) use the Cellular Message Encryption Algorithm (CMEA) specified by the Telecommunications Industry Association (TIA). The encryption techniques used by WWANs have proven to be effective but not infallible. Both GSM and CMEA algorithms have reportedly been cracked.
PAGE 21
Wireless Security White Paper 21 Figure 10 illustrates the wireless access protocol. The “WAP GAP” Mobile Device Web Server WTLS WAP GATEWAY TLS WAP GAP Security protocol must be translated from WAP “WTLS” to standard Internet “TLS” Data is unencrypted for a brief period of time Figure 10: Wireless Access Protocol (WAP) WAP does not provide end-to-end encryption between the wireless client and the application server.
PAGE 22
Wireless Security White Paper 22 Infowave Infowave provides an encrypted end-to-end security model from the mobile user through the wireless data network and Internet to the corporate server. Infowave is a gateway solution that controls all traffic to and from wireless users. Infowave requires that a single configurable port be opened in the firewall and set up as follows: • The port must allow only User Datagram Protocol (UDP) traffic.
PAGE 23
Wireless Security White Paper 23 Authentication Infowave uses NTLM challenge/response authentication. Infowave sends no user information over the link other than the encrypted NTLM token. Authorization Once it has authenticated the user, the Infowave server determines what resources the user is authorized and licensed to access. The Infowave server grants or denies access to the Exchange mailbox, for example. It also sends an authentication request back to the Infowave client software.
PAGE 24
Wireless Security White Paper 24 Infowave further notes that the engineering effort required to perform the above attack is prohibitive. It is not sufficient to just capture data and analyze it. The attacker would need to build working versions of both the IStack transport layer (Infowave proprietary) and the WBE authentication and session protocols (also Infowave proprietary) in order to carry out this attack.
PAGE 25
Wireless Security White Paper 25 The fundamental approach used by 802.1x is to authenticate users at the edge of the private network. It would be conceivable to perform this processing at other points within the core of the network, for example using MAC addresses. However, it would be difficult to protect all authenticated end stations from unauthenticated stations, since intruders could bypass authentication at least on their own segments.
PAGE 26
Wireless Security White Paper • For security reasons, the authentication information must be cryptologically secure. This implies that the Authenticator cannot decrypt the credentials. • The model must be extensible to new authentication mechanisms as they are invented and implemented.
PAGE 27
Wireless Security White Paper 27 This does not mean that there is no longer a need for WEP in an 802.11b LAN. As mentioned above, 802.1x only provides authentication. It does not encrypt the over-the-air transmission. It is therefore still possible for hackers to eavesdrop on conversations and intercept sensitive information. The ideal combination is to use 802.1x for authentication to the network, and WEP to ensure privacy of the transmission.
PAGE 28
Wireless Security White Paper 28 Figure 12 (next page) illustrates a corporate network with firewalls. Figure 12: Corporate Network with Firewalls "On its own, a firewall is a particularly dangerous single point of failure for network protection. Intrusion Detection Systems (IDS) provides an effective secondary protection measure to prevent security policy failure. IDS technology is also useful in detecting some types of malicious behavior by insiders. IDS can be both network based and host based.
PAGE 29
Wireless Security White Paper 29 See “Safe Computing and E-Business: Protecting the Enterprise to Assure E-Business Success” (http://activeanswers.compaq.com/ActiveAnswers/Render/1,1027,1317-6-100-225-1,00.html) the Compaq technical guide cited at other places in this paper, for detail on security measures recommended for corporate servers.
PAGE 30
Wireless Security White Paper 30 Bibliography Angelo, Michael, "Wireless Security Presentation from Michael Angelo" (Unpublished Compaq White Paper). Davies, Joy, "Wireless Security: Financial Industry Service and Solutions" (Compaq PowerPoint Presentation, October 9, 2000). Gomes, Lee, "Often unguarded wireless networks can be eavesdroppers’ gold mine" (Wall Street Journal Online, April 27, 2001).