Your SlideShare is downloading. ×
0
Windows Mobile Enterprise Security Best Practices
Windows Mobile Enterprise Security Best Practices
Windows Mobile Enterprise Security Best Practices
Windows Mobile Enterprise Security Best Practices
Windows Mobile Enterprise Security Best Practices
Windows Mobile Enterprise Security Best Practices
Windows Mobile Enterprise Security Best Practices
Windows Mobile Enterprise Security Best Practices
Windows Mobile Enterprise Security Best Practices
Windows Mobile Enterprise Security Best Practices
Windows Mobile Enterprise Security Best Practices
Windows Mobile Enterprise Security Best Practices
Windows Mobile Enterprise Security Best Practices
Windows Mobile Enterprise Security Best Practices
Windows Mobile Enterprise Security Best Practices
Windows Mobile Enterprise Security Best Practices
Windows Mobile Enterprise Security Best Practices
Windows Mobile Enterprise Security Best Practices
Windows Mobile Enterprise Security Best Practices
Windows Mobile Enterprise Security Best Practices
Windows Mobile Enterprise Security Best Practices
Windows Mobile Enterprise Security Best Practices
Windows Mobile Enterprise Security Best Practices
Windows Mobile Enterprise Security Best Practices
Windows Mobile Enterprise Security Best Practices
Windows Mobile Enterprise Security Best Practices
Windows Mobile Enterprise Security Best Practices
Windows Mobile Enterprise Security Best Practices
Windows Mobile Enterprise Security Best Practices
Windows Mobile Enterprise Security Best Practices
Windows Mobile Enterprise Security Best Practices
Windows Mobile Enterprise Security Best Practices
Windows Mobile Enterprise Security Best Practices
Windows Mobile Enterprise Security Best Practices
Windows Mobile Enterprise Security Best Practices
Windows Mobile Enterprise Security Best Practices
Windows Mobile Enterprise Security Best Practices
Windows Mobile Enterprise Security Best Practices
Windows Mobile Enterprise Security Best Practices
Windows Mobile Enterprise Security Best Practices
Windows Mobile Enterprise Security Best Practices
Windows Mobile Enterprise Security Best Practices
Windows Mobile Enterprise Security Best Practices
Windows Mobile Enterprise Security Best Practices
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

Windows Mobile Enterprise Security Best Practices

1,455

Published on

Microsoft Mobile & Embedded DevCon, Las Vegas, 2007

Microsoft Mobile & Embedded DevCon, Las Vegas, 2007

Published in: Technology
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
1,455
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
86
Comments
0
Likes
1
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide
  • Transcript

    • 1. Windows Mobile Enterprise Security Best practices John Rhoton Mobile Technology Lead HP Services
    • 2. But just what is mobility ? <ul><ul><li>Devices: </li></ul></ul><ul><ul><ul><li>Mobility = Mobile phones? </li></ul></ul></ul><ul><ul><ul><li>Mobility = Smart phones? </li></ul></ul></ul><ul><ul><ul><li>Mobility = PDAs ? </li></ul></ul></ul><ul><ul><li>Wireless: </li></ul></ul><ul><ul><ul><li>Mobility = Wireless LANs? </li></ul></ul></ul><ul><ul><ul><li>Mobility = GSM/GPRS? </li></ul></ul></ul><ul><ul><li>Applications: </li></ul></ul><ul><ul><ul><li>Mobility = Form-factor adaptation? </li></ul></ul></ul><ul><ul><ul><li>Mobility = Synchronisation? </li></ul></ul></ul>
    • 3. Facets of Mobile Security management devices air transmissions PAN LAN WAN public networks private networks applications mobility wireless traditional security 1 2 3 VPN 4
    • 4. Agenda <ul><ul><li>Mobile devices </li></ul></ul><ul><ul><li>Air interfaces </li></ul></ul><ul><ul><ul><li>Bluetooth, 802.11b, WWAN </li></ul></ul></ul><ul><ul><li>Remote Access </li></ul></ul><ul><ul><ul><li>Tunnels (VPNs), Roaming </li></ul></ul></ul><ul><ul><li>Perimeter Security </li></ul></ul><ul><ul><ul><li>Compartmentalization, Access Controls </li></ul></ul></ul>1 2 3 4
    • 5. Device Security (Windows Mobile)
    • 6. Threats to Mobile Devices <ul><li>Stolen information </li></ul><ul><ul><li>Host intrusion, stolen device </li></ul></ul><ul><li>Unauthorized network/application access </li></ul><ul><ul><li>Compromised credentials, host intrusion </li></ul></ul><ul><li>Virus propagation </li></ul><ul><ul><li>Virus susceptibility </li></ul></ul><ul><li>Lost information </li></ul><ul><ul><li>Lost, stolen or damaged device </li></ul></ul>Source: Trend Micro Mabir Win CE DUTS Win CE BRADOR 29Dec04 1Feb05 Locknut (Gavno) Vlasco 21Nov04 Skulls 20June04 Cabir 17Jul04 5Aug04 8Mar05 Comwar 7Mar05 Dampig 12Aug04 Qdial 4Apr05 Fontal 6Apr05 Drever 18Mar05 Hobbes 15Apr05 Doomed 4Jul05 = Symbian OS (Nokia, etc) = Windows CE (HP, etc)
    • 7. Mobile Device Security Management <ul><li>Platform selection and configuration </li></ul><ul><li>Policy enforcement </li></ul><ul><ul><li>Passwords </li></ul></ul><ul><ul><li>Device lock </li></ul></ul><ul><ul><li>Policy updates </li></ul></ul><ul><li>User support </li></ul><ul><ul><li>Device lockout </li></ul></ul><ul><ul><li>Backup/restore </li></ul></ul>Security Usability
    • 8. Windows Mobile Content Protection Access Control Approaches <ul><li>Simple Lock-out </li></ul><ul><li>Encryption </li></ul><ul><ul><li>Private key storage? </li></ul></ul><ul><ul><li>Smartcard / TPM </li></ul></ul><ul><ul><li>Hash private key (dictionary attack) </li></ul></ul><ul><ul><ul><li>Couple with strong password policies </li></ul></ul></ul><ul><li>Prevent insecure boot </li></ul><ul><ul><li>Analogous to BIOS password and Drivelock </li></ul></ul><ul><li>Choice depends on </li></ul><ul><ul><li>Sensitivity of data </li></ul></ul><ul><ul><li>Sustainable impact on usability and performance </li></ul></ul><ul><ul><li>Trust in user password selection </li></ul></ul>
    • 9. iPAQ Content Protection Access Control Solutions <ul><li>Native Pocket PC </li></ul><ul><li>Biometric Authentication </li></ul><ul><li>HP ProtectTools </li></ul><ul><li>Pointsec </li></ul><ul><li>Credant </li></ul>
    • 10. Enterprise Requirements <ul><li>Integrated Management Console </li></ul><ul><ul><li>Directory (AD/LDAP) integration </li></ul></ul><ul><li>Centralized Policies </li></ul><ul><ul><li>Policy polling </li></ul></ul><ul><ul><li>User cannot remove </li></ul></ul><ul><ul><li>Screen-lock / Idle-lock </li></ul></ul>
    • 11. MSFP Messaging and Security Feature Pack <ul><li>Exchange 2003 SP2 </li></ul><ul><li>Windows Mobile 5.0 </li></ul><ul><ul><li>(Persistent Storage) </li></ul></ul><ul><li>S/MIME </li></ul><ul><li>Certificate-based Authentication </li></ul><ul><li>Policy Enforcement </li></ul><ul><li>Local wipe </li></ul><ul><li>Remote wipe </li></ul>
    • 12. Summary of Access Control <ul><li>Credant </li></ul><ul><ul><li>Centralized Management </li></ul></ul><ul><ul><li>Adopted by HP IT </li></ul></ul><ul><ul><li>Personal Edition bundled with iPAQ </li></ul></ul><ul><li>Pointsec </li></ul><ul><ul><li>Centralized Management </li></ul></ul><ul><ul><li>Multi-platform </li></ul></ul><ul><ul><ul><li>Windows Mobile and Windows (Full Disk Encryption) </li></ul></ul></ul><ul><li>HP ProtectTools </li></ul><ul><ul><li>No encryption </li></ul></ul><ul><ul><li>Government certification </li></ul></ul><ul><ul><li>Secure boot </li></ul></ul><ul><li>Mobile Device Security and Mobile Device Management are tightly connected in a comprehensive enterprise solution! </li></ul>
    • 13. Air Interfaces: Bluetooth
    • 14. Pairing & Authentication <ul><li>Access to both devices </li></ul><ul><li>Manual input of security code (&quot;PIN&quot;) </li></ul><ul><li>No need to store or remember </li></ul>Pairing Based on stored keys No user intervention Authentication
    • 15. Bluetooth Security <ul><li>Acceptable Security Algorithms </li></ul><ul><ul><li>Initialization </li></ul></ul><ul><ul><li>Authentication </li></ul></ul><ul><ul><li>Encryption </li></ul></ul><ul><li>Prevention of Discoverability, Connectability and Pairing </li></ul><ul><li>Proximity Requirement </li></ul>K AD A B C D M K MC K MA K MD K MB
    • 16. Multi-tiered security
    • 17. <ul><li>PIN Attack </li></ul><ul><ul><li>Often hard-coded </li></ul></ul><ul><ul><li>Usually short (4-digit) </li></ul></ul><ul><li>Bluejacking </li></ul><ul><li>Bluesnarfing </li></ul><ul><li>Virus Propagation </li></ul><ul><li>Centralized Policy Management is critical in the Enterprise !! </li></ul>Bluetooth vulnerability
    • 18. Air Interfaces: WLAN
    • 19. Needs determine security SSID MAC Filter WEP WPA/802.11i
    • 20. <ul><li>Requires management of authorized MAC addresses </li></ul><ul><li>LAA (Locally Administered Address) can override UAA (Universally Administered Address) </li></ul>MAC Filters
    • 21. Equipment of a Wi-Fi freeloader <ul><li>Mobile device </li></ul><ul><ul><li>Linux </li></ul></ul><ul><ul><li>Windows </li></ul></ul><ul><ul><li>Pocket PC </li></ul></ul><ul><li>Wireless card </li></ul><ul><ul><li>Orinoco card </li></ul></ul><ul><ul><li>Prism 2 card </li></ul></ul><ul><li>Driver for promiscuous mode </li></ul><ul><li>Cantenna and wireless MMCX to N type cable </li></ul>
    • 22. Increasing the transmission range DEFCON 2005 WiFi Shootout <ul><li>Large dishes </li></ul><ul><li>High power levels </li></ul><ul><li>Line-of-sight </li></ul>200 km
    • 23. Bringing the “War” to War Driving
    • 24. Tools <ul><li>NetStumbler—access point reconnaissance </li></ul><ul><ul><li>http://www.netstumbler.com </li></ul></ul><ul><li>WEPCrack—breaks 802.11 keys </li></ul><ul><ul><li>http://wepcrack.sourceforge.net/ </li></ul></ul><ul><li>AirSnort—breaks 802.11 keys </li></ul><ul><ul><li>Needs only 5-10 million packets </li></ul></ul><ul><ul><li>http://airsnort.shmoo.com/ </li></ul></ul><ul><li>chopper </li></ul><ul><ul><li>Released August 2004 </li></ul></ul><ul><ul><li>Reduces number of necessary packets to 200-500 thousand </li></ul></ul><ul><li>Aircrack, Airopeek, Airsnare, Airmagnet, Airjack, Aerosol, Kismet, Packetyzer, NAI Sniffer, Retina WiFi Scanner… </li></ul>
    • 25. NetStumbler screen capture – Downtown Sacramento
    • 26. WiFiFoFum
    • 27. Airsnort cracked the WEP key – About 16 hours <ul><li>chopper reduces by an order of magnitude </li></ul>
    • 28. Ten-minute WEP crack <ul><li>Kismet </li></ul><ul><ul><li>reconnaissance </li></ul></ul><ul><li>Airodump </li></ul><ul><ul><li>WEP cracking </li></ul></ul><ul><li>Void11 </li></ul><ul><ul><li>deauth attack </li></ul></ul><ul><li>Aireplay </li></ul><ul><ul><li>replay attack </li></ul></ul>Source: tom’s networking
    • 29. Wireless LAN security evolution 1999 2003 2005+ WEP WPA 802.11i / WPA2 Timeline Privacy: 40 bit RC4 with 24 bit IV Auth: SSID and Shared key Integrity: CRC Privacy: Per packet keying (RC4) with 48 bit IV Auth: 802.1x+ EAP Integrity: MIC Privacy: AES Auth: 802.1x+ EAP Integrity: MIC Security
    • 30. WiFi Protect Access (WPA) <ul><li>Temporal Key Integrity Protocol </li></ul><ul><ul><li>Fast/Per packet keying, Message Integrity Check </li></ul></ul><ul><li>WPA-Personal </li></ul><ul><li>WPA-Enterprise </li></ul>
    • 31. IEEE 802.1x Explanation <ul><li>Restricts physical access to the WLAN </li></ul><ul><li>Can use existing authentication system </li></ul>Supplicant Authentication Server Authenticator Client Access Point RADIUS Server RADIUS 802.1x EAP EAP TKIP / MIC
    • 32. <ul><li>Ratified June 2004 </li></ul><ul><li>AES selected by National Institute of Standards and Technology (NIST) as replacement for DES </li></ul><ul><ul><ul><li>Symmetric-key block cipher </li></ul></ul></ul><ul><ul><ul><li>Computationally efficient </li></ul></ul></ul><ul><ul><ul><li>Can use large keys (> 1024 bits) </li></ul></ul></ul><ul><li>Cipher Block Chaining Message Authentication Code ( CBC-MAC or CCMP) complements TKIP </li></ul><ul><ul><li>RFC 3610 </li></ul></ul><ul><li>May require equipment upgrades </li></ul><ul><ul><li>Some WPA implementations already support AES </li></ul></ul><ul><li>Update for Windows XP (KB893357) </li></ul>802.11i / WPA2
    • 33. Enterprise WLAN Security Options <ul><li>WPA – Enterprise </li></ul><ul><ul><li>Eventual transition to 802.11i </li></ul></ul><ul><ul><li>Requires WPA-compliant APs and NICs </li></ul></ul><ul><li>VPN Overlay </li></ul><ul><ul><li>Performance overhead (20-30%) </li></ul></ul><ul><ul><li>VPN Concentrator required </li></ul></ul><ul><li>RBAC </li></ul><ul><ul><li>Additional appliance and infrastructure </li></ul></ul><ul><ul><li>Most refined access </li></ul></ul><ul><li>Home WLAN: WEP key rotation, firewall, intrusion detection </li></ul><ul><li>Public WLAN: MAC address filter, secure billing, VPN passthrough </li></ul>
    • 34. Rogue Access Points <ul><li>Highest risk when WLANs are NOT implemented </li></ul><ul><ul><li>Usually completely unsecured </li></ul></ul><ul><ul><li>Connected by naïve (rather than malicious) users </li></ul></ul><ul><li>Intrusion Detection Products </li></ul><ul><ul><li>Manual, Sensors, Infrastructure </li></ul></ul><ul><li>Multi-layer perimeters </li></ul><ul><ul><li>802.1x </li></ul></ul><ul><ul><li>RBAC, VPN </li></ul></ul>Internet Intranet Access
    • 35. Air Interfaces: WWAN
    • 36. Wireless WAN (Wide Area Network) <ul><ul><li>GSM, GPRS, HSCSD, EDGE, UMTS </li></ul></ul><ul><ul><li>CDMA 1XRTT, EV-DO, EV-DV, 3X </li></ul></ul><ul><ul><li>802.16, 802.20 </li></ul></ul><ul><ul><li>2G -> 2.5G -> 3G -> 4G </li></ul></ul><ul><ul><li>Bandwidth 9.6kbps - <2Mbps </li></ul></ul><ul><ul><li>Large geographical coverage </li></ul></ul><ul><ul><li>International coverage through roaming </li></ul></ul>GPRS phone GPRS iPAQ e-mail pager GSM/GPRS PC card http://h18004.www1.hp.com/products/wireless/wwan/WWAN-Security.pdf
    • 37. Mobile Network Scenarios 1 1 2 2 4 PAN Zone WLAN Zone 3G Zone GPRS Zone Surfing: Person 1 improves bandwidth by moving into a 3G area MP3 Download: Person 2 saves time and money by scheduling the download in a public WLAN hotspot Peer-to-peer: Person 3 sends an MP3 file over a Bluetooth link free of charge to Person 4 3 Satellite Zone At sea: Person 5 maintains coverage via satellite after leaving GPRS range 5 5 Columbitech Birdstep Ecutel
    • 38. Unauthorized Wireless Bridge
    • 39. Perimeter Security
    • 40. <ul><li>Binary Access Insufficient </li></ul><ul><li>Health checks become mandatory (NAP) </li></ul><ul><li>Complete Access Layer secured (e.g. 802.1x) </li></ul>Refined Network Access
    • 41. Role-based Access Control <ul><li>Bluesocket </li></ul><ul><li>Perfigo (Cisco) </li></ul><ul><li>Cranite </li></ul><ul><li>Aruba </li></ul><ul><li>HP ProCurve (Vernier) </li></ul>Role Schedule Location User Access Control IP Address Port Time VLAN
    • 42. Network Compartmentalization Virus Throttling Adaptive Network Architecture
    • 43. Summary <ul><li>Security concerns are the greatest inhibitor to mobility </li></ul><ul><li>Wireless networks and devices introduce new risks </li></ul><ul><li>Some mobile security (e.g. WLAN) has been inadequate </li></ul><ul><li>The industry has since recognized and addressed the main threats </li></ul><ul><li>The key to mobile security is a thorough reevaluation of existing security </li></ul>
    • 44. Questions? Contact me at: john.rhoton@hp.com

    ×