Mobile Device Security

  • 1,283 views
Uploaded on

Microsoft ExchangeConnections, Orlando, 2008

Microsoft ExchangeConnections, Orlando, 2008

More in: Technology
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
No Downloads

Views

Total Views
1,283
On Slideshare
0
From Embeds
0
Number of Embeds
3

Actions

Shares
Downloads
115
Comments
0
Likes
1

Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide
  • Microsoft ASP.NET Connections Updates will be available at http://www.devconnections.com/updates/LasVegas _06/ASP_Connections

Transcript

  • 1. Mobile Device Security John Rhoton Hewlett Packard [email_address]
  • 2. But just what is mobility ?
      • Devices:
        • Mobility = Mobile phones?
        • Mobility = Smart phones?
        • Mobility = PDAs ?
      • Wireless:
        • Mobility = Wireless LANs?
        • Mobility = GSM/GPRS?
      • Applications:
        • Mobility = Form-factor adaptation?
        • Mobility = Synchronisation?
  • 3. Mobility: Challenges
  • 4. Where is confidential data most vulnerable? Source: ESG Research Report
  • 5. Facets of Mobile Security management devices air transmissions PAN LAN WAN public networks private networks applications mobility wireless traditional security 1 2 3 VPN 4
  • 6. Agenda
      • Mobile devices
      • Air interfaces
        • Bluetooth, 802.11b, WWAN
      • Remote Access
        • Tunnels (VPNs), Roaming
      • Perimeter Security
        • Compartmentalization, Access Controls
    1 2 3 4
  • 7. Device Security (Windows Mobile)
  • 8. Threats to Mobile Devices
    • Stolen information
      • Host intrusion, stolen device
    • Unauthorized network/application access
      • Compromised credentials, host intrusion
    • Virus propagation
      • Virus susceptibility
    • Lost information
      • Lost, stolen or damaged device
    Source: Trend Micro
  • 9. Windows Mobile Content Protection Access Control Approaches
    • Simple Lock-out
    • Encryption
      • Private key storage?
      • Smartcard / TPM
      • Hash private key (dictionary attack)
        • Couple with strong password policies
    • Prevent insecure boot
      • Analogous to BIOS password and Drivelock
    • Choice depends on
      • Sensitivity of data
      • Sustainable impact on usability and performance
      • Trust in user password selection
  • 10. iPAQ Content Protection Access Control Solutions
    • Native Pocket PC
    • Biometric Authentication
    • HP ProtectTools
    • Pointsec
    • Credant
    • TrustDigital
    • Utimaco
    • Bluefire
    Centralized Provisioning and Configuration
  • 11. Enterprise Requirements
    • Integrated Management Console
      • Directory (AD/LDAP) integration
    • Centralized Policies
      • Policy polling
      • User cannot remove
      • Screen-lock / Idle-lock
  • 12. Air Interfaces: Bluetooth
  • 13. Pairing & Authentication
    • Access to both devices
    • Manual input of security code
    • No need to store or remember
    Pairing Based on stored keys No user intervention Authentication
  • 14. Bluetooth Security
    • Acceptable Security Algorithms
      • Initialization
      • Authentication
      • Encryption
    • Prevention of
      • Discoverability, Connectability and Pairing
    • Proximity Requirement
    K AD A B C D M K MC K MA K MD K MB
  • 15. Multi-tiered security
  • 16.
    • PIN Attack
      • Often hard-coded
      • Usually short (4-digit)
    • Bluejacking
    • Bluesnarfing
    • Virus Propagation
    • Centralized Policy Management is critical in the Enterprise !!
    Bluetooth vulnerability
  • 17. Air Interfaces: WLAN
  • 18. Needs determine security SSID MAC Filter WEP WPA/802.11i
  • 19.
    • Requires management of authorized MAC addresses
    • LAA (Locally Administered Address) can override UAA (Universally Administered Address)
    MAC Filters
  • 20. Equipment of a Wi-Fi freeloader
    • Mobile device
      • Linux
      • Windows
      • Pocket PC
    • Wireless card
      • Orinoco card
      • Prism 2 card
    • Driver for promiscuous mode
    • Cantenna and wireless MMCX to N type cable
  • 21. Increasing the transmission range DEFCON 2005 WiFi Shootout
    • Large dishes
    • High power levels
    • Line-of-sight
    200 km
  • 22. Bringing the “War” to War Driving
  • 23. Tools
    • NetStumbler—access point reconnaissance
      • http://www.netstumbler.com
    • WEPCrack—breaks 802.11 keys
      • http://wepcrack.sourceforge.net/
    • AirSnort—breaks 802.11 keys
      • Needs only 5-10 million packets
      • http://airsnort.shmoo.com/
    • chopper
      • Released August 2004
      • Reduces number of necessary packets to 200-500 thousand
    • Aircrack, Airopeek, Airsnare, Airmagnet, Airjack, Aerosol, Kismet, Packetyzer, NAI Sniffer, Retina WiFi Scanner…
  • 24. Ten-minute WEP crack
    • Kismet
      • reconnaissance
    • Airodump
      • WEP cracking
    • Void11
      • deauth attack
    • Aireplay
      • replay attack
    Source: tom’s networking
  • 25. Wireless LAN security evolution 1999 2003 2005+ WEP WPA 802.11i / WPA2 Timeline Privacy: 40 bit RC4 with 24 bit IV Auth: SSID and Shared key Integrity: CRC Privacy: Per packet keying (RC4) with 48 bit IV Auth: 802.1x+ EAP Integrity: MIC Privacy: AES Auth: 802.1x+ EAP Integrity: MIC Security
  • 26.
    • Ratified June 2004
    • AES selected by National Institute of Standards and Technology (NIST) as replacement for DES
      • Symmetric-key block cipher
      • Computationally efficient
      • Can use large keys (> 1024 bits)
    • Cipher Block Chaining Message Authentication Code ( CBC-MAC or CCMP) complements TKIP
      • RFC 3610
    • May require equipment upgrades
      • Some WPA implementations already support AES
    • Update for Windows XP (KB893357)
    802.11i / WPA2
  • 27. IEEE 802.1x Explanation
    • Restricts physical access to the WLAN
    • Can use existing authentication system
    Supplicant Authentication Server Authenticator Client Access Point RADIUS Server RADIUS 802.1x EAP EAP TKIP / MIC
  • 28. WiFi Protect Access (WPA)
    • Temporal Key Integrity Protocol
      • Fast/Per packet keying, Message Integrity Check
    • WPA-Personal
    • WPA-Enterprise
    Require Non-Trivial Client Configuration
  • 29. Enterprise WLAN Security Options
    • WPA – Enterprise
      • Transition to 802.11i
      • Requires WPA-compliant APs and NICs
    • VPN Overlay
      • Performance overhead (20-30%)
      • VPN Concentrator required
    • RBAC
      • Additional appliance and infrastructure
      • Most refined access
    • Home WLAN: WEP/WPA key rotation, firewall, intrusion detection
    • Public WLAN: MAC address filter, secure billing, VPN passthrough
  • 30. Rogue and Decoy Access Points
    • Highest risk when WLANs are NOT implemented
      • Usually completely unsecured
      • Connected by naïve (rather than malicious) users
    • Intrusion Detection Products
      • Manual, Sensors, Infrastructure
    • Multi-layer perimeters
      • 802.1x
      • RBAC, VPN
    • Decoys can be counteracted with automated configuration
    Internet Intranet Access
  • 31. Air Interfaces: WWAN
  • 32. Wireless WAN (Wide Area Network)
      • GSM, GPRS, HSCSD, EDGE, UMTS, HSDPA
      • CDMA 1XRTT, EV-DO, EV-DV, 3X
      • 802.16, 802.20
      • 2G -> 2.5G -> 3G -> 4G
      • Bandwidth 9.6kbps - 2Mbps+
      • Large geographical coverage
      • International coverage through roaming
    GPRS phone GPRS iPAQ e-mail pager GSM/GPRS PC card http://h18004.www1.hp.com/products/wireless/wwan/WWAN-Security.pdf
  • 33. Multiple interfaces maximize flexibility 1 1 2 2 4 PAN Zone WLAN Zone 3G Zone GPRS Zone Surfing: Person 1 improves bandwidth by moving into a 3G area MP3 Download: Person 2 saves time and money by scheduling the download in a public WLAN hotspot Peer-to-peer: Person 3 sends an MP3 file over a Bluetooth link free of charge to Person 4 3 Satellite Zone At sea: Person 5 maintains coverage via satellite after leaving GPRS range 5 5 Columbitech Birdstep Ecutel
  • 34. Unauthorized Wireless Bridge Prevented through Policy
  • 35. Perimeter Security
  • 36.
    • Restricted Network Access
    • Role-based Access Control
    • Network Compartmentalization
    Perimeter Evolution Role Schedule Location User Access Control IP Address Port Time VLAN
  • 37. Credant OTA Sync Control Exchange 2003 Local ActiveSync HANDHELD App Servers Provides automatic network detection and remediation of mobile devices attempting to synchronize with Microsoft Exchange Gatekeeper Local Gatekeeper can detect devices which sync via local connection Internet Server ActiveSync Exchange Server OTA Sync Control OTA Sync Control detects devices which sync via Server Activesync. Based on ISAPI extension
  • 38. Trust Digital Mobile Edge Perimeter Security
    • Wireless Provisioning Portal
      • Device and user registration integrated with enterprise use policy acceptance
      • Over-the-air (OTA) delivery of Trust Digital software and policy
    • Advanced Features
      • Asset, activity, and compliance reporting
      • Help Desk functionality including self-service portal
    • Network Admission Control
      • Ensures security/compliance of end-user device
      • Interrogates devices before allowing access
      • Integrated with Microsoft ISA Server
  • 39. HP Enterprise Mobility Suite WW Wireless Operator Networks HP Enterprise Devices HP Worldwide Hosting Facilities Enterprise HTTPS Internet HTTPS
    • Device Support
    • S/W Maintenance
    • WW Network Support
    • FusionDM for Enterprise
    • Device Troubleshooting
    • Device Security
    • Policy Mgmt
    • Asset Mgmt
    • IT Dash Board
    • Exchange®
    • Domino ®
    • Groupwise®
    • Corporate Directory
    • Active Directory ®
    • Intranet
    • CRM
    • Application Portal
    Existing IT Systems FOR ENTERPRISE Leading OEM Device Manufacturers SMS TCP/IP SMS TCP/IP HTTPS
  • 40. Mobile Device Security Management
    • Provisioning security tools
    • Policy enforcement
      • Passwords
      • Device lock
      • Policy updates
    • User support
      • Device lockout
      • Backup/restore
    Security Usability
  • 41. Summary
    • Security concerns are the greatest inhibitor to mobility
      • Wireless networks and devices introduce new risks
      • Some mobile security (e.g. WLAN) has been inadequate
      • The industry has since recognized and addressed the main threats
    • The enterprise challenge:
      • Systematically reassess security architecture
      • Standardize on security configuration
      • Ensure user compliance through automation and policy enforcement
  • 42. Questions? Contact me at: john.rhoton@hp.com
  • 43. Your Feedback is Important
    • Please fill out a session evaluation form and either put them in the basket near the exit or drop them off at the conference registration desk.
    • Thank you!