Your SlideShare is downloading. ×
0
Wireless Device and Network level security
Wireless Device and Network level security
Wireless Device and Network level security
Wireless Device and Network level security
Wireless Device and Network level security
Wireless Device and Network level security
Wireless Device and Network level security
Wireless Device and Network level security
Wireless Device and Network level security
Wireless Device and Network level security
Wireless Device and Network level security
Wireless Device and Network level security
Wireless Device and Network level security
Wireless Device and Network level security
Wireless Device and Network level security
Wireless Device and Network level security
Wireless Device and Network level security
Wireless Device and Network level security
Wireless Device and Network level security
Wireless Device and Network level security
Wireless Device and Network level security
Wireless Device and Network level security
Wireless Device and Network level security
Wireless Device and Network level security
Wireless Device and Network level security
Wireless Device and Network level security
Wireless Device and Network level security
Wireless Device and Network level security
Wireless Device and Network level security
Wireless Device and Network level security
Wireless Device and Network level security
Wireless Device and Network level security
Wireless Device and Network level security
Wireless Device and Network level security
Wireless Device and Network level security
Wireless Device and Network level security
Wireless Device and Network level security
Wireless Device and Network level security
Wireless Device and Network level security
Wireless Device and Network level security
Wireless Device and Network level security
Wireless Device and Network level security
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

Wireless Device and Network level security

791

Published on

A Presentation I made at QIP Short Term Course On Wireless  Security

A Presentation I made at QIP Short Term Course On Wireless  Security

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
791
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
16
Comments
0
Likes
0
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. Security at Device, Network & Server Levels QIP Short Term Course On Wireless  Security Chetan Kumar Shivakumar Protocol Engineering and Technology Unit, IISc. (Currently working at Alcatel Lucent India Limited) e-mail shivakumar.chetan@gmail.com
  • 2. Organization <ul><li>Session 1 </li></ul><ul><ul><li>Mobile Device Security </li></ul></ul><ul><ul><li>Network Level Security-1 </li></ul></ul><ul><li>Session 2 </li></ul><ul><ul><li>Network Level Security-2 </li></ul></ul><ul><ul><li>Server Level Security </li></ul></ul>
  • 3. Session 1 <ul><li>Device Level Security </li></ul><ul><ul><li>Security Requirements </li></ul></ul><ul><ul><li>Treats and solutions </li></ul></ul><ul><ul><li>OS Level security </li></ul></ul><ul><li>Network Level Security </li></ul><ul><ul><li>Security Challenges at network level </li></ul></ul><ul><ul><ul><li>Security issues in WLAN (part) </li></ul></ul></ul><ul><ul><ul><li>Cellular Network, Adhoc Network security </li></ul></ul></ul>
  • 4. What is security <ul><li>Security is PAIN </li></ul><ul><ul><li>P rivacy </li></ul></ul><ul><ul><li>A uthentication </li></ul></ul><ul><ul><li>I ntegrity </li></ul></ul><ul><ul><li>N on-repudiation </li></ul></ul><ul><li>Security is Needed for... </li></ul><ul><ul><li>Privacy Reasons: </li></ul></ul><ul><ul><ul><li>People want to hide certain (culturally specific) things. </li></ul></ul></ul><ul><ul><li>Economic Reasons: </li></ul></ul><ul><ul><ul><li>People (and enterprises) want to protect their property. </li></ul></ul></ul>
  • 5. Mobile Security specifics <ul><li>Dynamic connections over multiple access networks (partly untrusted)‏ </li></ul><ul><li>Restrictions in communication protocols </li></ul><ul><li>(bandwidth, latency,…)‏ </li></ul><ul><li>Restrictions in devices (power, performance)‏ </li></ul><ul><li>State of affairs: </li></ul><ul><li>Client-side technology is still very immature </li></ul><ul><li>Security management of wireless networks and devices is inherently complicated </li></ul><ul><li>Multiple Stake Holders </li></ul><ul><ul><li>Owner/Subscriber </li></ul></ul><ul><ul><li>Service Provider </li></ul></ul><ul><ul><li>Enterprise </li></ul></ul>
  • 6. Need for Mobile Device Security <ul><li>Resources </li></ul><ul><ul><li>Mobile devices are becoming more powerful </li></ul></ul><ul><ul><ul><li>1Ghz processors are common !! </li></ul></ul></ul><ul><li>Portability </li></ul><ul><ul><li>Wireless devices are smaller in size and portable </li></ul></ul><ul><ul><li>Data in those devices require more protection than data on non-portable devices </li></ul></ul><ul><ul><li>Mechanisms to recover stolen or lost devices are important </li></ul></ul><ul><ul><li>Mechanisms for self-destruction of data is also important </li></ul></ul>
  • 7. Need for Mobile Device Security <ul><li>Mobility </li></ul><ul><ul><li>Mobility brings even bigger challenges </li></ul></ul><ul><ul><li>Trust in infrastructure </li></ul></ul><ul><ul><ul><li>Wired networks assume certain level of trust in local infrastructure (we trust our routers). In wireless networks this is a weak assumption. </li></ul></ul></ul><ul><ul><ul><li>Would you put same level of trust on an Access Point in Airport as you put on your home AP? </li></ul></ul></ul><ul><ul><ul><li>Security mechanisms should anticipate these variances in trust Or, security mechanisms should be independent of location or infrastructure. </li></ul></ul></ul><ul><ul><li>Trust in location </li></ul></ul><ul><ul><ul><li>Wired networks implicitly assume network address is equivalent to physical location. </li></ul></ul></ul><ul><ul><ul><li>In wireless networks physical location is not tied to network address. Physical location may change transparent to end nodes. </li></ul></ul></ul>
  • 8. Need for Mobile Device Security <ul><ul><ul><li>Services </li></ul></ul></ul><ul><ul><ul><ul><li>Multiple services are run on mobile devices </li></ul></ul></ul></ul><ul><ul><ul><ul><ul><li>I can also talk using my phone !! </li></ul></ul></ul></ul></ul><ul><ul><ul><ul><li>MultiMedia applications </li></ul></ul></ul></ul><ul><ul><ul><ul><li>CRM applications on mobile devices </li></ul></ul></ul></ul><ul><ul><ul><ul><li>Mobile Sales force applications on mobile devices </li></ul></ul></ul></ul>
  • 9. Important Data on mobile device <ul><li>Smart phones and PDA usage </li></ul><ul><ul><li>55.7% store confidential infor- mation on mobile device </li></ul></ul><ul><ul><li>54% of smart phones used for e-mailing confidential information </li></ul></ul><ul><ul><li>40% access bank account and credit card </li></ul></ul><ul><ul><li>10-15% of laptops are stolen with intent of data </li></ul></ul>
  • 10. Mobile device security Threat <ul><li>Device lost by accident OR stolen </li></ul><ul><ul><li>Replacement cost </li></ul></ul><ul><ul><li>Cost of restoring data </li></ul></ul><ul><ul><li>Loss of confidential data </li></ul></ul><ul><ul><li>Cloning threat </li></ul></ul><ul><ul><li>Impersonation </li></ul></ul>
  • 11. Mobile device security Threat <ul><li>Data damage by mobile malware </li></ul><ul><ul><li>Some intelligent free app can upload your banking pin !! </li></ul></ul><ul><ul><li>An easy way to transmit virus (during sync) </li></ul></ul>
  • 12. Environmental Threats <ul><li>Rich interfaces in mobile device, which are software controlled </li></ul><ul><ul><li>Teathering with wifi !! </li></ul></ul><ul><li>Unauthorized mobile device in corporate environment </li></ul><ul><ul><li>Can act as sniffer </li></ul></ul><ul><li>Threat due to using device in busy environments </li></ul>
  • 13. Few solutions for device security <ul><li>Allow only legitimate and valid users into network </li></ul><ul><ul><li>Network admission control (NAC) </li></ul></ul><ul><li>Data encryption and strong authentication management </li></ul><ul><li>Centralized device management </li></ul><ul><ul><li>Remove old devices in system </li></ul></ul><ul><li>Patch management for software on mobile devices </li></ul><ul><li>Network level management using </li></ul><ul><ul><li>Firewall, IDS, anti spyware etc. </li></ul></ul>
  • 14. Policy enforced solutions <ul><li>Encrypts data transmissions to and from the device and encrypts data on the devices themselves. </li></ul><ul><li>Measures the trustworthiness of the hardware, OS and applications to detect an unauthorised configuration. </li></ul><ul><li>Allows IT staffers to deactivate, lock and/or wipe devices which have been stolen or lost. </li></ul><ul><li>Provides strong user authentication both to activate the device and to access the network. In the case of loss/theft, user authentication can slow or halt an attacker entirely. </li></ul><ul><li>Management functions on the device and on the back-end which allow users to centrally create, rollout, change and enforce their security policies. </li></ul><ul><li>Password protection on all devices at power-on. Most mobile devices ship with this feature. </li></ul>
  • 15. OS Security Mechanism <ul><li>Capability model </li></ul><ul><ul><li>Provide access to recourses to only applications that have certain trust level </li></ul></ul><ul><ul><ul><li>Decided during installation </li></ul></ul></ul><ul><li>Data caging model </li></ul><ul><ul><li>Certain user get full access to vulnerable files. </li></ul></ul><ul><li>Password protection and CA based authentication </li></ul><ul><li>Remote wipe-out </li></ul><ul><li>Policy propagation mechanism </li></ul>
  • 16. Network Level Security
  • 17. Why do we need network security I can send mail to all news channels using wifi access from this building. No non-repudiation
  • 18. Why do we need network security I can get the passwords now sitting outside this building Internet Banking is so easy with WiFi at home Eves dropping
  • 19. Why security is more of a concern in wireless ? <ul><li>Two basic security problems in wireless </li></ul><ul><ul><li>Connecting to the network does not need physical access to the network </li></ul></ul><ul><ul><ul><li>Just stand outside a building, you can get connected to AP that is inside the building </li></ul></ul></ul><ul><li>The broadcast nature of radio communications </li></ul><ul><ul><li>WiFi network normally operate at 150mW, upto 300M radius </li></ul></ul><ul><ul><li>Have you ever tried wireshark (or tcpdump) ‏ </li></ul></ul>
  • 20. Why security is more of a concern in wireless ? <ul><li>Other related security vulnerabilities </li></ul><ul><ul><ul><li>Anyone can generate transmissions, </li></ul></ul></ul><ul><ul><ul><li>which will be received by other devices in range </li></ul></ul></ul><ul><ul><ul><li>which will interfere with other nearby transmissions and may prevent their correct reception (jamming)‏ </li></ul></ul></ul><ul><ul><ul><li>Injecting bogus messages into the network is easy </li></ul></ul></ul><ul><ul><li>Replaying previously recorded messages is easy </li></ul></ul>
  • 21. Why security is more of a concern in wireless ? <ul><li>Illegitimate access to the network and its services is easy </li></ul><ul><ul><li>Denial of service is easily achieved by jamming </li></ul></ul>
  • 22. Network Level Security Challenges <ul><li>Transmission Security </li></ul><ul><ul><li>at physical, medium access and data link layers over wireless media. </li></ul></ul><ul><li>Communication Security </li></ul><ul><ul><li>message confidentiality, integrity, and end-point authentication </li></ul></ul><ul><li>Authorization and Access Control </li></ul><ul><li>Network Infrastructure Protection </li></ul><ul><li>Robustness </li></ul><ul><li>Efficiency </li></ul>
  • 23. Wireless LAN Security <ul><li>Various Schemes in WiFi security </li></ul><ul><ul><li>Service Set ID (SSID) based </li></ul></ul><ul><ul><li>MAC Address based filtering </li></ul></ul><ul><ul><li>Wired Equivalent Privacy (WEP) ‏ </li></ul></ul><ul><ul><li>eWEP (Enhanced WEP) ‏ </li></ul></ul><ul><ul><li>Wireless Protected Access (WPA) </li></ul></ul><ul><ul><li>WPA 2 </li></ul></ul><ul><ul><li>IEEE 802.11i </li></ul></ul>
  • 24. Service Set Identifier (SSID) ‏ <ul><li>SSID is used to identify an 802.11 network </li></ul><ul><li>It can be pre-configured or advertised in beacon broadcast </li></ul><ul><li>It is transmitted in clear text </li></ul><ul><ul><li>Provide very little security </li></ul></ul>
  • 25. MAC Address Filtering <ul><li>MAC address filtering is another way people have tried to secure their networks. </li></ul><ul><li>NIC’s MAC address is a 12-digit hexadecimal number that is unique to each and every network card in the world. </li></ul><ul><li>Uniqueness allows you limit access to the AP to only those MAC addresses of authorized devices. </li></ul><ul><li>You can easily shut out everyone who should not be on your network. </li></ul><ul><li>However, MAC Address filtering is not completely secure and, if you solely rely upon it, you will have a false sense of security </li></ul>
  • 26. Issues with MAC Address Filtering <ul><li>Someone will have to keep a database of the MAC address of every wireless device in your network. Keeping track of hundreds of MAC addresses, this will become a nightmare. </li></ul><ul><li>MAC addresses can be changed , so a determined attacker can use a wireless sniffer to figure out a MAC address that is allowed through and set his PC to match it to consider it valid. </li></ul><ul><li>Note that encryption takes place at about Layer 2 of the OSI LAYER, so MAC addresses will still be visible to a packet sniffer. </li></ul>
  • 27. End of session 1 <ul><li>Let us break for tea.. </li></ul>
  • 28. Session 2 <ul><li>Network Level Security </li></ul><ul><ul><li>Security issues in WLAN (part) </li></ul></ul><ul><ul><li>Cellular Network, Adhoc Network security </li></ul></ul><ul><li>Server Level Security </li></ul><ul><ul><li>Security Threat for server </li></ul></ul><ul><ul><li>Server Security Steps </li></ul></ul><ul><ul><li>Security Solutions </li></ul></ul>
  • 29. WEP - Wired Equivalent privacy <ul><li>Part of the IEEE 802.11 specification </li></ul><ul><li>GOAL </li></ul><ul><ul><li>make the WiFi network at least as secure as a wired LAN (that has no particular protection mechanisms) ‏ </li></ul></ul><ul><ul><li>WEP has never intended to achieve strong security </li></ul></ul><ul><ul><li>(at the end, it hasn’t achieved even weak security) ‏ </li></ul></ul>
  • 30. WEP - Wired Equivalent privacy <ul><li>There is a lot of misconception surrounding WEP , </li></ul><ul><li>WEP is not, nor was it ever meant to be, a security algorithm. </li></ul><ul><li>WEP is not designed to repel; it simply makes sure that you are not less secure because you are not keeping your data in a wire. </li></ul><ul><li>The problem occurs when people see the word “encryption” and make assumptions. </li></ul><ul><li>WEP is designed to make up for the inherent insecurity in wireless TX, as comparezd to wired TX. </li></ul>
  • 31. WEP - Wired Equivalent privacy <ul><li>WEP makes your data as secure as it would be on an unencrypted, wired Ethernet network. </li></ul><ul><li>That is all it is designed to do, period. </li></ul><ul><li>WEP can be typically configured in three possible modes : </li></ul><ul><ul><li>No encryption mode </li></ul></ul><ul><ul><li>40-bit encryption </li></ul></ul><ul><ul><li>128-bit encryption </li></ul></ul>
  • 32. What is WPA? <ul><li>Wi-Fi Protected Access (WPA) is a response by the WLAN industry to offer an immediate, a stronger security solution than WEP. </li></ul><ul><li>WPA was created by the Wi-Fi Alliance, an industry trade group, which owns the trademark to the Wi-Fi name and certifies devices that carry that name. </li></ul>
  • 33. WPA in nut shell… <ul><li>WPA is designed for use with an IEEE 802.1X authentication server, which distributes different keys to each user. </li></ul><ul><li>Data is encrypted using the RC4 stream cipher, with a 128-bit key and a 48-bit initialization vector (IV). </li></ul><ul><li>One major improvement in WPA over WEP is the Temporal Key Integrity Protocol (TKIP) , which dynamically changes keys as the system is used </li></ul><ul><li>When combined with the much larger IV , this defeats the well-known key recovery attacks on WEP. </li></ul>
  • 34. WPA in nut shell… ( Cont’d ) ‏ <ul><li>In addition to authentication and encryption, WPA also provides vastly improved payload integrity . </li></ul><ul><li>The cyclic redundancy check (CRC) used in WEP is inherently insecure ; it is possible to alter the payload and update the message CRC without knowing the WEP key. </li></ul><ul><li>A more secure message authentication code (usually known as a MAC, but here termed a MIC for &amp;quot;Message Integrity Code&amp;quot;) is used in WPA, an algorithm named &amp;quot;Michael&amp;quot;. </li></ul><ul><li>The MIC used in WPA includes a frame counter , which prevents replay attacks being executed. </li></ul>
  • 35. WPA Modes <ul><li>Pre-Shared Key Mode </li></ul><ul><ul><li>Does not require authentication server. </li></ul></ul><ul><ul><li>“ Shared Secret” is used for authentication to access point. </li></ul></ul><ul><li>Enterprise Mode </li></ul><ul><ul><li>Requires an authentication server </li></ul></ul><ul><ul><li>Uses RADIUS protocols for authentication and key distribution. </li></ul></ul><ul><ul><li>Centralizes management of user credentials. </li></ul></ul>
  • 36. In Summary <ul><li>Fixes all known WEP privacy vulnerabilities. </li></ul><ul><li>Designed by well-known cryptographers. </li></ul><ul><li>Best possible security to minimize performance degradation on existing hardware. </li></ul>
  • 37. AdHoc Network Security issues <ul><li>Challenges in AdHoc Network </li></ul><ul><ul><li>Lack of infrastructure, absence of trusted third parties (TTPs) </li></ul></ul><ul><ul><li>The constraints of the devices and the communication channel </li></ul></ul><ul><ul><li>Bootstrapping security, providing authentication and key exchange </li></ul></ul><ul><ul><li>Enabling key revocation and key renewing in public key infrastructures (PKIs). </li></ul></ul>
  • 38. Server Level Security <ul><li>Servers provide services to mobile devices </li></ul><ul><ul><li>DHCP/DNS/HTTP/File servers etc </li></ul></ul><ul><li>Messaging and file services are very critical part of mobile work force in enterprise. </li></ul>
  • 39. Security Threats in Servers <ul><li>Malicious entities may exploit software bugs in the server </li></ul><ul><li>Denial of Service (DoS) attacks </li></ul><ul><li>Sensitive information transmitted unencrypted or weakly encrypted between the server and the client may be intercepted. </li></ul><ul><li>Malicious entities may gain unauthorised access to resources elsewhere in the organisation‘s network via a successful attack on the server </li></ul>
  • 40. Securing the Servers <ul><li>Planning </li></ul><ul><ul><li>Identify the Purpose(s) of the Server </li></ul></ul><ul><ul><li>Install right firewall </li></ul></ul><ul><ul><li>Install NIDS </li></ul></ul><ul><li>Install, Configure, and Secure the Underlying OS </li></ul><ul><li>Install, Configure, and Secure the Server Software </li></ul>
  • 41. Thank You <ul><li>We can address any questions that you had earlier hesitated to ask </li></ul><ul><li>&apos;the security of a computer system degrades in direct proportion to the amount of use the system receives - (Farmer&apos;s Law) &apos; </li></ul>
  • 42. Backup Slide <ul><li>Backup slides </li></ul>

×