0
Windows Mobile Enterprise Security Best practices John Rhoton Mobile Technology Lead HP Services
But just what is mobility ? <ul><ul><li>Devices: </li></ul></ul><ul><ul><ul><li>Mobility = Mobile phones? </li></ul></ul><...
Facets of Mobile Security management devices air transmissions PAN LAN WAN public networks private  networks applications ...
Agenda <ul><ul><li>Mobile devices </li></ul></ul><ul><ul><li>Air interfaces </li></ul></ul><ul><ul><ul><li>Bluetooth, 802....
Device Security (Windows Mobile)
Threats to Mobile Devices <ul><li>Stolen information </li></ul><ul><ul><li>Host intrusion, stolen device </li></ul></ul><u...
Mobile Device Security Management <ul><li>Platform selection and configuration </li></ul><ul><li>Policy enforcement </li><...
Windows Mobile Content Protection Access Control Approaches <ul><li>Simple Lock-out </li></ul><ul><li>Encryption </li></ul...
iPAQ Content Protection Access Control Solutions <ul><li>Native Pocket PC </li></ul><ul><li>Biometric Authentication </li>...
Enterprise Requirements <ul><li>Integrated Management Console </li></ul><ul><ul><li>Directory (AD/LDAP) integration </li><...
MSFP Messaging and Security Feature Pack <ul><li>Exchange 2003 SP2 </li></ul><ul><li>Windows Mobile 5.0 </li></ul><ul><ul>...
Summary of Access Control <ul><li>Credant </li></ul><ul><ul><li>Centralized Management </li></ul></ul><ul><ul><li>Adopted ...
Air Interfaces: Bluetooth
Pairing & Authentication <ul><li>Access to both devices </li></ul><ul><li>Manual input of security code (&quot;PIN&quot;) ...
Bluetooth Security <ul><li>Acceptable Security Algorithms </li></ul><ul><ul><li>Initialization </li></ul></ul><ul><ul><li>...
Multi-tiered security
<ul><li>PIN Attack </li></ul><ul><ul><li>Often hard-coded </li></ul></ul><ul><ul><li>Usually short (4-digit) </li></ul></u...
Air Interfaces: WLAN
Needs determine security SSID MAC Filter WEP WPA/802.11i
<ul><li>Requires management of authorized MAC addresses </li></ul><ul><li>LAA (Locally Administered Address) can  override...
Equipment of a Wi-Fi freeloader <ul><li>Mobile device </li></ul><ul><ul><li>Linux </li></ul></ul><ul><ul><li>Windows </li>...
Increasing the transmission range DEFCON 2005 WiFi Shootout  <ul><li>Large dishes </li></ul><ul><li>High power levels </li...
Bringing the “War” to War Driving
Tools <ul><li>NetStumbler—access point reconnaissance </li></ul><ul><ul><li>http://www.netstumbler.com </li></ul></ul><ul>...
NetStumbler screen capture –  Downtown Sacramento
WiFiFoFum
Airsnort cracked the WEP key –  About 16 hours <ul><li>chopper reduces by an order of magnitude </li></ul>
Ten-minute WEP crack <ul><li>Kismet </li></ul><ul><ul><li>reconnaissance </li></ul></ul><ul><li>Airodump </li></ul><ul><ul...
Wireless LAN security evolution 1999 2003 2005+ WEP WPA 802.11i / WPA2 Timeline Privacy: 40 bit RC4 with 24 bit IV Auth: S...
WiFi Protect Access (WPA) <ul><li>Temporal Key Integrity Protocol </li></ul><ul><ul><li>Fast/Per packet keying, Message In...
IEEE 802.1x Explanation <ul><li>Restricts physical access to the WLAN </li></ul><ul><li>Can use existing authentication sy...
<ul><li>Ratified June 2004 </li></ul><ul><li>AES selected by National Institute of Standards and Technology (NIST) as repl...
Enterprise WLAN Security Options <ul><li>WPA – Enterprise </li></ul><ul><ul><li>Eventual transition to 802.11i </li></ul><...
Rogue Access Points <ul><li>Highest risk when WLANs are  NOT  implemented </li></ul><ul><ul><li>Usually completely unsecur...
Air Interfaces: WWAN
Wireless WAN (Wide Area Network) <ul><ul><li>GSM, GPRS, HSCSD, EDGE, UMTS </li></ul></ul><ul><ul><li>CDMA 1XRTT, EV-DO, EV...
Mobile Network Scenarios 1 1 2 2 4 PAN Zone WLAN Zone 3G Zone GPRS Zone Surfing:  Person 1 improves bandwidth by moving in...
Unauthorized Wireless Bridge
Perimeter Security
<ul><li>Binary Access Insufficient </li></ul><ul><li>Health checks become mandatory (NAP) </li></ul><ul><li>Complete Acces...
Role-based Access Control <ul><li>Bluesocket </li></ul><ul><li>Perfigo (Cisco) </li></ul><ul><li>Cranite </li></ul><ul><li...
Network Compartmentalization Virus Throttling Adaptive Network Architecture
Summary <ul><li>Security concerns are the greatest inhibitor to mobility </li></ul><ul><li>Wireless networks and devices i...
Questions? Contact me at: john.rhoton@hp.com
Upcoming SlideShare
Loading in...5
×

Windows Mobile Enterprise Security Best Practices

1,461

Published on

Microsoft Mobile & Embedded DevCon, Las Vegas, 2007

Published in: Technology
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
1,461
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
86
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide
  • Transcript of "Windows Mobile Enterprise Security Best Practices"

    1. 1. Windows Mobile Enterprise Security Best practices John Rhoton Mobile Technology Lead HP Services
    2. 2. But just what is mobility ? <ul><ul><li>Devices: </li></ul></ul><ul><ul><ul><li>Mobility = Mobile phones? </li></ul></ul></ul><ul><ul><ul><li>Mobility = Smart phones? </li></ul></ul></ul><ul><ul><ul><li>Mobility = PDAs ? </li></ul></ul></ul><ul><ul><li>Wireless: </li></ul></ul><ul><ul><ul><li>Mobility = Wireless LANs? </li></ul></ul></ul><ul><ul><ul><li>Mobility = GSM/GPRS? </li></ul></ul></ul><ul><ul><li>Applications: </li></ul></ul><ul><ul><ul><li>Mobility = Form-factor adaptation? </li></ul></ul></ul><ul><ul><ul><li>Mobility = Synchronisation? </li></ul></ul></ul>
    3. 3. Facets of Mobile Security management devices air transmissions PAN LAN WAN public networks private networks applications mobility wireless traditional security 1 2 3 VPN 4
    4. 4. Agenda <ul><ul><li>Mobile devices </li></ul></ul><ul><ul><li>Air interfaces </li></ul></ul><ul><ul><ul><li>Bluetooth, 802.11b, WWAN </li></ul></ul></ul><ul><ul><li>Remote Access </li></ul></ul><ul><ul><ul><li>Tunnels (VPNs), Roaming </li></ul></ul></ul><ul><ul><li>Perimeter Security </li></ul></ul><ul><ul><ul><li>Compartmentalization, Access Controls </li></ul></ul></ul>1 2 3 4
    5. 5. Device Security (Windows Mobile)
    6. 6. Threats to Mobile Devices <ul><li>Stolen information </li></ul><ul><ul><li>Host intrusion, stolen device </li></ul></ul><ul><li>Unauthorized network/application access </li></ul><ul><ul><li>Compromised credentials, host intrusion </li></ul></ul><ul><li>Virus propagation </li></ul><ul><ul><li>Virus susceptibility </li></ul></ul><ul><li>Lost information </li></ul><ul><ul><li>Lost, stolen or damaged device </li></ul></ul>Source: Trend Micro Mabir Win CE DUTS Win CE BRADOR 29Dec04 1Feb05 Locknut (Gavno) Vlasco 21Nov04 Skulls 20June04 Cabir 17Jul04 5Aug04 8Mar05 Comwar 7Mar05 Dampig 12Aug04 Qdial 4Apr05 Fontal 6Apr05 Drever 18Mar05 Hobbes 15Apr05 Doomed 4Jul05 = Symbian OS (Nokia, etc) = Windows CE (HP, etc)
    7. 7. Mobile Device Security Management <ul><li>Platform selection and configuration </li></ul><ul><li>Policy enforcement </li></ul><ul><ul><li>Passwords </li></ul></ul><ul><ul><li>Device lock </li></ul></ul><ul><ul><li>Policy updates </li></ul></ul><ul><li>User support </li></ul><ul><ul><li>Device lockout </li></ul></ul><ul><ul><li>Backup/restore </li></ul></ul>Security Usability
    8. 8. Windows Mobile Content Protection Access Control Approaches <ul><li>Simple Lock-out </li></ul><ul><li>Encryption </li></ul><ul><ul><li>Private key storage? </li></ul></ul><ul><ul><li>Smartcard / TPM </li></ul></ul><ul><ul><li>Hash private key (dictionary attack) </li></ul></ul><ul><ul><ul><li>Couple with strong password policies </li></ul></ul></ul><ul><li>Prevent insecure boot </li></ul><ul><ul><li>Analogous to BIOS password and Drivelock </li></ul></ul><ul><li>Choice depends on </li></ul><ul><ul><li>Sensitivity of data </li></ul></ul><ul><ul><li>Sustainable impact on usability and performance </li></ul></ul><ul><ul><li>Trust in user password selection </li></ul></ul>
    9. 9. iPAQ Content Protection Access Control Solutions <ul><li>Native Pocket PC </li></ul><ul><li>Biometric Authentication </li></ul><ul><li>HP ProtectTools </li></ul><ul><li>Pointsec </li></ul><ul><li>Credant </li></ul>
    10. 10. Enterprise Requirements <ul><li>Integrated Management Console </li></ul><ul><ul><li>Directory (AD/LDAP) integration </li></ul></ul><ul><li>Centralized Policies </li></ul><ul><ul><li>Policy polling </li></ul></ul><ul><ul><li>User cannot remove </li></ul></ul><ul><ul><li>Screen-lock / Idle-lock </li></ul></ul>
    11. 11. MSFP Messaging and Security Feature Pack <ul><li>Exchange 2003 SP2 </li></ul><ul><li>Windows Mobile 5.0 </li></ul><ul><ul><li>(Persistent Storage) </li></ul></ul><ul><li>S/MIME </li></ul><ul><li>Certificate-based Authentication </li></ul><ul><li>Policy Enforcement </li></ul><ul><li>Local wipe </li></ul><ul><li>Remote wipe </li></ul>
    12. 12. Summary of Access Control <ul><li>Credant </li></ul><ul><ul><li>Centralized Management </li></ul></ul><ul><ul><li>Adopted by HP IT </li></ul></ul><ul><ul><li>Personal Edition bundled with iPAQ </li></ul></ul><ul><li>Pointsec </li></ul><ul><ul><li>Centralized Management </li></ul></ul><ul><ul><li>Multi-platform </li></ul></ul><ul><ul><ul><li>Windows Mobile and Windows (Full Disk Encryption) </li></ul></ul></ul><ul><li>HP ProtectTools </li></ul><ul><ul><li>No encryption </li></ul></ul><ul><ul><li>Government certification </li></ul></ul><ul><ul><li>Secure boot </li></ul></ul><ul><li>Mobile Device Security and Mobile Device Management are tightly connected in a comprehensive enterprise solution! </li></ul>
    13. 13. Air Interfaces: Bluetooth
    14. 14. Pairing & Authentication <ul><li>Access to both devices </li></ul><ul><li>Manual input of security code (&quot;PIN&quot;) </li></ul><ul><li>No need to store or remember </li></ul>Pairing Based on stored keys No user intervention Authentication
    15. 15. Bluetooth Security <ul><li>Acceptable Security Algorithms </li></ul><ul><ul><li>Initialization </li></ul></ul><ul><ul><li>Authentication </li></ul></ul><ul><ul><li>Encryption </li></ul></ul><ul><li>Prevention of Discoverability, Connectability and Pairing </li></ul><ul><li>Proximity Requirement </li></ul>K AD A B C D M K MC K MA K MD K MB
    16. 16. Multi-tiered security
    17. 17. <ul><li>PIN Attack </li></ul><ul><ul><li>Often hard-coded </li></ul></ul><ul><ul><li>Usually short (4-digit) </li></ul></ul><ul><li>Bluejacking </li></ul><ul><li>Bluesnarfing </li></ul><ul><li>Virus Propagation </li></ul><ul><li>Centralized Policy Management is critical in the Enterprise !! </li></ul>Bluetooth vulnerability
    18. 18. Air Interfaces: WLAN
    19. 19. Needs determine security SSID MAC Filter WEP WPA/802.11i
    20. 20. <ul><li>Requires management of authorized MAC addresses </li></ul><ul><li>LAA (Locally Administered Address) can override UAA (Universally Administered Address) </li></ul>MAC Filters
    21. 21. Equipment of a Wi-Fi freeloader <ul><li>Mobile device </li></ul><ul><ul><li>Linux </li></ul></ul><ul><ul><li>Windows </li></ul></ul><ul><ul><li>Pocket PC </li></ul></ul><ul><li>Wireless card </li></ul><ul><ul><li>Orinoco card </li></ul></ul><ul><ul><li>Prism 2 card </li></ul></ul><ul><li>Driver for promiscuous mode </li></ul><ul><li>Cantenna and wireless MMCX to N type cable </li></ul>
    22. 22. Increasing the transmission range DEFCON 2005 WiFi Shootout <ul><li>Large dishes </li></ul><ul><li>High power levels </li></ul><ul><li>Line-of-sight </li></ul>200 km
    23. 23. Bringing the “War” to War Driving
    24. 24. Tools <ul><li>NetStumbler—access point reconnaissance </li></ul><ul><ul><li>http://www.netstumbler.com </li></ul></ul><ul><li>WEPCrack—breaks 802.11 keys </li></ul><ul><ul><li>http://wepcrack.sourceforge.net/ </li></ul></ul><ul><li>AirSnort—breaks 802.11 keys </li></ul><ul><ul><li>Needs only 5-10 million packets </li></ul></ul><ul><ul><li>http://airsnort.shmoo.com/ </li></ul></ul><ul><li>chopper </li></ul><ul><ul><li>Released August 2004 </li></ul></ul><ul><ul><li>Reduces number of necessary packets to 200-500 thousand </li></ul></ul><ul><li>Aircrack, Airopeek, Airsnare, Airmagnet, Airjack, Aerosol, Kismet, Packetyzer, NAI Sniffer, Retina WiFi Scanner… </li></ul>
    25. 25. NetStumbler screen capture – Downtown Sacramento
    26. 26. WiFiFoFum
    27. 27. Airsnort cracked the WEP key – About 16 hours <ul><li>chopper reduces by an order of magnitude </li></ul>
    28. 28. Ten-minute WEP crack <ul><li>Kismet </li></ul><ul><ul><li>reconnaissance </li></ul></ul><ul><li>Airodump </li></ul><ul><ul><li>WEP cracking </li></ul></ul><ul><li>Void11 </li></ul><ul><ul><li>deauth attack </li></ul></ul><ul><li>Aireplay </li></ul><ul><ul><li>replay attack </li></ul></ul>Source: tom’s networking
    29. 29. Wireless LAN security evolution 1999 2003 2005+ WEP WPA 802.11i / WPA2 Timeline Privacy: 40 bit RC4 with 24 bit IV Auth: SSID and Shared key Integrity: CRC Privacy: Per packet keying (RC4) with 48 bit IV Auth: 802.1x+ EAP Integrity: MIC Privacy: AES Auth: 802.1x+ EAP Integrity: MIC Security
    30. 30. WiFi Protect Access (WPA) <ul><li>Temporal Key Integrity Protocol </li></ul><ul><ul><li>Fast/Per packet keying, Message Integrity Check </li></ul></ul><ul><li>WPA-Personal </li></ul><ul><li>WPA-Enterprise </li></ul>
    31. 31. IEEE 802.1x Explanation <ul><li>Restricts physical access to the WLAN </li></ul><ul><li>Can use existing authentication system </li></ul>Supplicant Authentication Server Authenticator Client Access Point RADIUS Server RADIUS 802.1x EAP EAP TKIP / MIC
    32. 32. <ul><li>Ratified June 2004 </li></ul><ul><li>AES selected by National Institute of Standards and Technology (NIST) as replacement for DES </li></ul><ul><ul><ul><li>Symmetric-key block cipher </li></ul></ul></ul><ul><ul><ul><li>Computationally efficient </li></ul></ul></ul><ul><ul><ul><li>Can use large keys (> 1024 bits) </li></ul></ul></ul><ul><li>Cipher Block Chaining Message Authentication Code ( CBC-MAC or CCMP) complements TKIP </li></ul><ul><ul><li>RFC 3610 </li></ul></ul><ul><li>May require equipment upgrades </li></ul><ul><ul><li>Some WPA implementations already support AES </li></ul></ul><ul><li>Update for Windows XP (KB893357) </li></ul>802.11i / WPA2
    33. 33. Enterprise WLAN Security Options <ul><li>WPA – Enterprise </li></ul><ul><ul><li>Eventual transition to 802.11i </li></ul></ul><ul><ul><li>Requires WPA-compliant APs and NICs </li></ul></ul><ul><li>VPN Overlay </li></ul><ul><ul><li>Performance overhead (20-30%) </li></ul></ul><ul><ul><li>VPN Concentrator required </li></ul></ul><ul><li>RBAC </li></ul><ul><ul><li>Additional appliance and infrastructure </li></ul></ul><ul><ul><li>Most refined access </li></ul></ul><ul><li>Home WLAN: WEP key rotation, firewall, intrusion detection </li></ul><ul><li>Public WLAN: MAC address filter, secure billing, VPN passthrough </li></ul>
    34. 34. Rogue Access Points <ul><li>Highest risk when WLANs are NOT implemented </li></ul><ul><ul><li>Usually completely unsecured </li></ul></ul><ul><ul><li>Connected by naïve (rather than malicious) users </li></ul></ul><ul><li>Intrusion Detection Products </li></ul><ul><ul><li>Manual, Sensors, Infrastructure </li></ul></ul><ul><li>Multi-layer perimeters </li></ul><ul><ul><li>802.1x </li></ul></ul><ul><ul><li>RBAC, VPN </li></ul></ul>Internet Intranet Access
    35. 35. Air Interfaces: WWAN
    36. 36. Wireless WAN (Wide Area Network) <ul><ul><li>GSM, GPRS, HSCSD, EDGE, UMTS </li></ul></ul><ul><ul><li>CDMA 1XRTT, EV-DO, EV-DV, 3X </li></ul></ul><ul><ul><li>802.16, 802.20 </li></ul></ul><ul><ul><li>2G -> 2.5G -> 3G -> 4G </li></ul></ul><ul><ul><li>Bandwidth 9.6kbps - <2Mbps </li></ul></ul><ul><ul><li>Large geographical coverage </li></ul></ul><ul><ul><li>International coverage through roaming </li></ul></ul>GPRS phone GPRS iPAQ e-mail pager GSM/GPRS PC card http://h18004.www1.hp.com/products/wireless/wwan/WWAN-Security.pdf
    37. 37. Mobile Network Scenarios 1 1 2 2 4 PAN Zone WLAN Zone 3G Zone GPRS Zone Surfing: Person 1 improves bandwidth by moving into a 3G area MP3 Download: Person 2 saves time and money by scheduling the download in a public WLAN hotspot Peer-to-peer: Person 3 sends an MP3 file over a Bluetooth link free of charge to Person 4 3 Satellite Zone At sea: Person 5 maintains coverage via satellite after leaving GPRS range 5 5 Columbitech Birdstep Ecutel
    38. 38. Unauthorized Wireless Bridge
    39. 39. Perimeter Security
    40. 40. <ul><li>Binary Access Insufficient </li></ul><ul><li>Health checks become mandatory (NAP) </li></ul><ul><li>Complete Access Layer secured (e.g. 802.1x) </li></ul>Refined Network Access
    41. 41. Role-based Access Control <ul><li>Bluesocket </li></ul><ul><li>Perfigo (Cisco) </li></ul><ul><li>Cranite </li></ul><ul><li>Aruba </li></ul><ul><li>HP ProCurve (Vernier) </li></ul>Role Schedule Location User Access Control IP Address Port Time VLAN
    42. 42. Network Compartmentalization Virus Throttling Adaptive Network Architecture
    43. 43. Summary <ul><li>Security concerns are the greatest inhibitor to mobility </li></ul><ul><li>Wireless networks and devices introduce new risks </li></ul><ul><li>Some mobile security (e.g. WLAN) has been inadequate </li></ul><ul><li>The industry has since recognized and addressed the main threats </li></ul><ul><li>The key to mobile security is a thorough reevaluation of existing security </li></ul>
    44. 44. Questions? Contact me at: john.rhoton@hp.com
    1. A particular slide catching your eye?

      Clipping is a handy way to collect important slides you want to go back to later.

    ×