Wireless Device and Network level security
-
Upload
chetan-kumar-shivakumar -
Category
Documents
-
view
722 -
download
2
description
Transcript of Wireless Device and Network level security
Security at Device, Network &Server Levels
QIP Short Term Course On Wireless Security
Chetan Kumar ShivakumarProtocol Engineering and Technology Unit, IISc.(Currently working at Alcatel Lucent India Limited)
e-mail [email protected]
QIP Short Term Course On Wireless Security
Organization
Session 1Mobile Device SecurityNetwork Level Security-1
Session 2Network Level Security-2Server Level Security
QIP Short Term Course On Wireless Security
Session 1
Device Level Security Security Requirements Treats and solutionsOS Level security
Network Level SecuritySecurity Challenges at network level
Security issues in WLAN (part)Cellular Network, Adhoc Network security
QIP Short Term Course On Wireless Security
What is security
Security is PAINPrivacyAuthenticationIntegrityNon-repudiation
Security is Needed for... Privacy Reasons:
People want to hide certain (culturally specific) things.
Economic Reasons: People (and enterprises) want to protect their property.
QIP Short Term Course On Wireless Security
Mobile Security specifics
Dynamic connections over multiple access networks (partly untrusted)
Restrictions in communication protocols (bandwidth, latency,…) Restrictions in devices (power, performance)
State of affairs: Client-side technology is still very immature Security management of wireless networks
and devices is inherently complicated Multiple Stake Holders
Owner/Subscriber Service Provider Enterprise
QIP Short Term Course On Wireless Security
Need for Mobile Device Security
Resources Mobile devices are becoming more
powerful 1Ghz processors are common !!
Portability Wireless devices are smaller in size and
portable Data in those devices require more
protection than data on non-portable devices
Mechanisms to recover stolen or lost devices are important
Mechanisms for self-destruction of data is also important
QIP Short Term Course On Wireless Security
Need for Mobile Device Security
Mobility Mobility brings even bigger challenges Trust in infrastructure
Wired networks assume certain level of trust in local infrastructure (we trust our routers). In wireless networks this is a weak assumption.
Would you put same level of trust on an Access Point in Airport as you put on your home AP?
Security mechanisms should anticipate these variances in trust Or, security mechanisms should be independent of location or infrastructure.
Trust in location Wired networks implicitly assume network address is equivalent to
physical location. In wireless networks physical location is not tied to network address.
Physical location may change transparent to end nodes.
QIP Short Term Course On Wireless Security
Need for Mobile Device Security
Services Multiple services are run on mobile devices
I can also talk using my phone !! MultiMedia applications CRM applications on mobile devices Mobile Sales force applications on
mobile devices
QIP Short Term Course On Wireless Security
Important Data on mobile device
Smart phones and PDA usage55.7% store confidential infor-
mation on mobile device54% of smart phones used for e-mailing
confidential information40% access bank account and credit card10-15% of laptops are stolen with intent of
data
QIP Short Term Course On Wireless Security
Mobile device security Threat
Device lost by accident OR stolenReplacement costCost of restoring dataLoss of confidential dataCloning threat Impersonation
QIP Short Term Course On Wireless Security
Mobile device security Threat
Data damage by mobile malwareSome intelligent free app can upload your
banking pin !!An easy way to transmit virus (during sync)
QIP Short Term Course On Wireless Security
Environmental Threats
Rich interfaces in mobile device, which are software controlled Teathering with wifi !!
Unauthorized mobile device in corporate environmentCan act as sniffer
Threat due to using device in busy environments
QIP Short Term Course On Wireless Security
Few solutions for device security
Allow only legitimate and valid users into network Network admission control (NAC)
Data encryption and strong authentication management
Centralized device management Remove old devices in system
Patch management for software on mobile devices
Network level management using Firewall, IDS, anti spyware etc.
QIP Short Term Course On Wireless Security
Policy enforced solutions
Encrypts data transmissions to and from the device and encrypts data on the devices themselves.
Measures the trustworthiness of the hardware, OS and applications to detect an unauthorised configuration.
Allows IT staffers to deactivate, lock and/or wipe devices which have been stolen or lost.
Provides strong user authentication both to activate the device and to access the network. In the case of loss/theft, user authentication can slow or halt an attacker entirely.
Management functions on the device and on the back-end which allow users to centrally create, rollout, change and enforce their security policies.
Password protection on all devices at power-on. Most mobile devices ship with this feature.
QIP Short Term Course On Wireless Security
OS Security Mechanism
Capability model Provide access to recourses to only applications
that have certain trust level Decided during installation
Data caging model Certain user get full access to vulnerable files.
Password protection and CA based authentication
Remote wipe-out Policy propagation mechanism
QIP Short Term Course On Wireless Security
Network Level Security
QIP Short Term Course On Wireless Security
Why do we need network security
I can send mail to all news channels using wifi access from this
building.
No non-repudiation
QIP Short Term Course On Wireless Security
Why do we need network security
I can get the passwords now sitting outside this
building
Internet Banking is so
easy with WiFi at home
Eves dropping
QIP Short Term Course On Wireless Security
Why security is more of a concern in wireless ?
Two basic security problems in wirelessConnecting to the network does not need
physical access to the networkJust stand outside a building, you can get
connected to AP that is inside the building
The broadcast nature of radio communicationsWiFi network normally operate at 150mW,
upto 300M radiusHave you ever tried wireshark (or tcpdump)
QIP Short Term Course On Wireless Security
Why security is more of a concern in wireless ?
Other related security vulnerabilities Anyone can generate transmissions, which will be received by other devices in range which will interfere with other nearby
transmissions and may prevent their correct reception (jamming)
Injecting bogus messages into the network is easy
Replaying previously recorded messages is easy
QIP Short Term Course On Wireless Security
Why security is more of a concern in wireless ?
Illegitimate access to the network and its services is easyDenial of service is easily achieved by
jamming
QIP Short Term Course On Wireless Security
Network Level Security Challenges
Transmission Security at physical, medium access and data link layers
over wireless media. Communication Security
message confidentiality, integrity, and end-point authentication
Authorization and Access Control Network Infrastructure Protection Robustness Efficiency
QIP Short Term Course On Wireless Security
Wireless LAN Security
Various Schemes in WiFi securityService Set ID (SSID) basedMAC Address based filtering Wired Equivalent Privacy (WEP)eWEP (Enhanced WEP) Wireless Protected Access (WPA)WPA 2 IEEE 802.11i
QIP Short Term Course On Wireless Security
Service Set Identifier (SSID)
SSID is used to identify an 802.11 network
It can be pre-configured or advertised in beacon broadcast
It is transmitted in clear textProvide very little security
QIP Short Term Course On Wireless Security
MAC Address Filtering
MAC address filtering is another way people have tried to secure their networks.
NIC’s MAC address is a 12-digit hexadecimal number that is unique to each and every network card in the world.
Uniqueness allows you limit access to the AP to only those MAC addresses of authorized devices.
You can easily shut out everyone who should not be on your network.
However, MAC Address filtering is not completely secure and, if you solely rely upon it, you will have a false sense of security
QIP Short Term Course On Wireless Security
Issues with MAC Address Filtering
Someone will have to keep a database of the MAC address of every wireless device in your network. Keeping track of hundreds of MAC addresses, this will become a nightmare.
MAC addresses can be changed, so a determined attacker can use a wireless sniffer to figure out a MAC address that is allowed through and set his PC to match it to consider it valid.
Note that encryption takes place at about Layer 2 of the OSI LAYER, so MAC addresses will still be visible to a packet sniffer.
QIP Short Term Course On Wireless Security
End of session 1
Let us break for tea..
QIP Short Term Course On Wireless Security
Session 2
Network Level SecuritySecurity issues in WLAN (part)Cellular Network, Adhoc Network security
Server Level SecuritySecurity Threat for serverServer Security StepsSecurity Solutions
QIP Short Term Course On Wireless Security
WEP - Wired Equivalent privacy
Part of the IEEE 802.11 specification GOAL
make the WiFi network at least as secure as a wired LAN (that has no particular protection mechanisms)
WEP has never intended to achieve strong security
(at the end, it hasn’t achieved even weak security)
QIP Short Term Course On Wireless Security
WEP - Wired Equivalent privacy
There is a lot of misconception surrounding WEP, WEP is not, nor was it ever meant to be, a security
algorithm. WEP is not designed to repel; it simply makes sure that
you are not less secure because you are not keeping your data in a wire.
The problem occurs when people see the word “encryption” and make assumptions.
WEP is designed to make up for the inherent insecurity in wireless TX, as comparezd to wired TX.
QIP Short Term Course On Wireless Security
WEP - Wired Equivalent privacy
WEP makes your data as secure as it would be on an unencrypted, wired Ethernet network.
That is all it is designed to do, period.WEP can be typically configured in three
possible modes: No encryption mode 40-bit encryption 128-bit encryption
QIP Short Term Course On Wireless Security
What is WPA?
Wi-Fi Protected Access (WPA) is a response by the WLAN industry to offer an immediate, a stronger security solution than WEP.
WPA was created by the Wi-Fi Alliance, an industry trade group, which owns the trademark to the Wi-Fi name and certifies devices that carry that name.
QIP Short Term Course On Wireless Security
WPA in nut shell…
WPA is designed for use with an IEEE 802.1X authentication server, which distributes different keys to each user.
Data is encrypted using the RC4 stream cipher, with a 128-bit key and a 48-bit initialization vector (IV).
One major improvement in WPA over WEP is the Temporal Key Integrity Protocol (TKIP), which dynamically changes keys as the system is used
When combined with the much larger IV, this defeats the well-known key recovery attacks on WEP.
QIP Short Term Course On Wireless Security
WPA in nut shell… ( Cont’d )
In addition to authentication and encryption, WPA also provides vastly improved payload integrity.
The cyclic redundancy check (CRC) used in WEP is inherently insecure; it is possible to alter the payload and update the message CRC without knowing the WEP key.
A more secure message authentication code (usually known as a MAC, but here termed a MIC for "Message Integrity Code") is used in WPA, an algorithm named "Michael".
The MIC used in WPA includes a frame counter, which prevents replay attacks being executed.
QIP Short Term Course On Wireless Security
WPA Modes
Pre-Shared Key Mode Does not require authentication server. “Shared Secret” is used for authentication to
access point. Enterprise Mode
Requires an authentication server Uses RADIUS protocols for authentication and key
distribution. Centralizes management of user credentials.
QIP Short Term Course On Wireless Security
In Summary
Fixes all known WEP privacy vulnerabilities.
Designed by well-known cryptographers. Best possible security to minimize
performance degradation on existing hardware.
QIP Short Term Course On Wireless Security
AdHoc Network Security issues
Challenges in AdHoc NetworkLack of infrastructure, absence of trusted
third parties (TTPs)The constraints of the devices and the
communication channelBootstrapping security, providing
authentication and key exchangeEnabling key revocation and key renewing
in public key infrastructures (PKIs).
QIP Short Term Course On Wireless Security
Server Level Security
Servers provide services to mobile devicesDHCP/DNS/HTTP/File servers etc
Messaging and file services are very critical part of mobile work force in enterprise.
QIP Short Term Course On Wireless Security
Security Threats in Servers
Malicious entities may exploit software bugs in the server
Denial of Service (DoS) attacks Sensitive information transmitted unencrypted
or weakly encrypted between the server and the client may be intercepted.
Malicious entities may gain unauthorised access to resources elsewhere in the organisation‘s network via a successful attack on the server
QIP Short Term Course On Wireless Security
Securing the Servers
Planning Identify the Purpose(s) of the Server Install right firewall Install NIDS
Install, Configure, and Secure the Underlying OS
Install, Configure, and Secure the Server Software
QIP Short Term Course On Wireless Security
Thank You
We can address any questions that you had earlier hesitated to ask
'the security of a computer system degrades in direct proportion to the amount of use the system receives -
(Farmer's Law) '
QIP Short Term Course On Wireless Security
Backup Slide
Backup slides