Windows Mobile Enterprise Security Best practices

Windows Mobile Enterprise Security Best practicesJohn RhotonMobile Technology LeadHP Services

John RhotonMobile Technology LeadHP Services

But just what is mobility ?But just what is mobility ?But just what is mobility ?But just what is mobility ?

Devices:Mobility = Mobile phones?

Mobility = Smart phones?

Mobility = PDAs ?

Wireless:Mobility = Wireless LANs?

Mobility = GSM/GPRS?

Applications:Mobility = Form-factor adaptation?

Mobility = Synchronisation?

Devices:Mobility = Mobile phones?

Mobility = Smart phones?

Mobility = PDAs ?

Wireless:Mobility = Wireless LANs?

Mobility = GSM/GPRS?

Applications:Mobility = Form-factor adaptation?

Mobility = Synchronisation?

management

Facets of Mobile SecurityFacets of Mobile Security

devicesdevices

airtransmissions

PANLANWAN

airtransmissions

PANLANWAN

publicnetworks

publicnetworks

private networksprivate

networks

applications

mobility wireless traditional security

11 22

3 VPN3 VPN

44

AgendaAgenda

1. Mobile devices2. Air interfaces

Bluetooth, 802.11b, WWAN3. Remote Access

Tunnels (VPNs), Roaming4. Perimeter Security

Compartmentalization, Access Controls

1. Mobile devices2. Air interfaces

Bluetooth, 802.11b, WWAN3. Remote Access

Tunnels (VPNs), Roaming4. Perimeter Security

Compartmentalization, Access Controls

11 22

3 3

44

Device Security

(Windows Mobile)

Threats to Mobile DevicesThreats to Mobile DevicesStolen information

Host intrusion, stolen device

Unauthorized network/application accessCompromised credentials, host intrusion

Virus propagationVirus susceptibility

Lost informationLost, stolen or damaged device

Stolen informationHost intrusion, stolen device

Unauthorized network/application accessCompromised credentials, host intrusion

Virus propagationVirus susceptibility

Lost informationLost, stolen or damaged device

Mabir

Win CE DUTS Win CE

BRADOR

29Dec041Feb05

Locknut (Gavno)

Vlasco

21Nov04

Skulls

20June04

Cabir

17Jul04

5Aug048Mar05

Comwar

7Mar05

Dampig

12Aug04

Qdial

4Apr05

Fontal

6Apr05

Drever

18Mar05

Hobbes

15Apr05

Doomed

4Jul05

= Symbian OS (Nokia, etc)

= Windows CE (HP, etc)

Source: Trend Micro

Mobile Device Security ManagementMobile Device Security Management

Platform selection and configurationPolicy enforcement

Passwords

Device lock

Policy updates

User supportDevice lockout

Backup/restore

Platform selection and configurationPolicy enforcement

Passwords

Device lock

Policy updates

User supportDevice lockout

Backup/restore

Security

Usability

Windows Mobile Content ProtectionAccess Control Approaches

Windows Mobile Content ProtectionAccess Control ApproachesSimple Lock-out

EncryptionPrivate key storage?Smartcard / TPMHash private key (dictionary attack)

Couple with strong password policies

Prevent insecure bootAnalogous to BIOS password and Drivelock

Choice depends onSensitivity of dataSustainable impact on usability and performanceTrust in user password selection

Simple Lock-outEncryption

Private key storage?Smartcard / TPMHash private key (dictionary attack)

Couple with strong password policies

Prevent insecure bootAnalogous to BIOS password and Drivelock

Choice depends onSensitivity of dataSustainable impact on usability and performanceTrust in user password selection

iPAQ Content ProtectionAccess Control SolutionsiPAQ Content ProtectionAccess Control Solutions

Native Pocket PCBiometric AuthenticationHP ProtectToolsPointsecCredant

Native Pocket PCBiometric AuthenticationHP ProtectToolsPointsecCredant

Enterprise RequirementsEnterprise Requirements

Integrated Management ConsoleDirectory (AD/LDAP) integration

Centralized PoliciesPolicy pollingUser cannot removeScreen-lock / Idle-lock

Integrated Management ConsoleDirectory (AD/LDAP) integration

Centralized PoliciesPolicy pollingUser cannot removeScreen-lock / Idle-lock

MSFPMessaging and Security Feature Pack

MSFPMessaging and Security Feature PackExchange 2003 SP2

Windows Mobile 5.0(Persistent Storage)

S/MIMECertificate-based AuthenticationPolicy EnforcementLocal wipeRemote wipe

Exchange 2003 SP2Windows Mobile 5.0(Persistent Storage)

S/MIMECertificate-based AuthenticationPolicy EnforcementLocal wipeRemote wipe

Summary of Access ControlSummary of Access Control

CredantCentralized ManagementAdopted by HP ITPersonal Edition bundled with iPAQ

PointsecCentralized ManagementMulti-platform

Windows Mobile and Windows (Full Disk Encryption)

HP ProtectToolsNo encryptionGovernment certificationSecure boot

Mobile Device Security and Mobile Device Management are tightly connected in a comprehensive enterprise solution!

CredantCentralized ManagementAdopted by HP ITPersonal Edition bundled with iPAQ

PointsecCentralized ManagementMulti-platform

Windows Mobile and Windows (Full Disk Encryption)

HP ProtectToolsNo encryptionGovernment certificationSecure boot

Mobile Device Security and Mobile Device Management are tightly connected in a comprehensive enterprise solution!

Air Interfaces:Bluetooth

Pairing & AuthenticationPairing & Authentication

Pairing

Access to both devices

Manual input of security code ("PIN")

No need to store or remember

Access to both devices

Manual input of security code ("PIN")

No need to store or remember

Based on stored keysNo user intervention

Authentication

Bluetooth SecurityBluetooth Security

Acceptable Security AlgorithmsInitialization

Authentication

Encryption

Prevention of Discoverability, Connectability and

PairingProximity Requirement

Acceptable Security AlgorithmsInitialization

Authentication

Encryption

Prevention of Discoverability, Connectability and

PairingProximity Requirement

KADA

B

C

D

MKMC

KMAKMD

KMB

Multi-tiered securityMulti-tiered security

PIN AttackOften hard-coded

Usually short (4-digit)

BluejackingBluesnarfingVirus Propagation

Centralized Policy Management is critical in the Enterprise !!

PIN AttackOften hard-coded

Usually short (4-digit)

BluejackingBluesnarfingVirus Propagation

Centralized Policy Management is critical in the Enterprise !!

Bluetooth vulnerabilityBluetooth vulnerability

Air Interfaces:WLAN

SSID

MAC Filter

WEP

WPA/802.11i

Needs determine securityNeeds determine security

Requires management of authorized MAC addressesLAA (Locally Administered Address) can override UAA (Universally Administered Address)

Requires management of authorized MAC addressesLAA (Locally Administered Address) can override UAA (Universally Administered Address)

MAC FiltersMAC Filters

Equipment of a Wi-Fi freeloaderEquipment of a Wi-Fi freeloader

Mobile deviceLinux

Windows

Pocket PC

Wireless cardOrinoco cardPrism 2 card

Driver for promiscuous modeCantenna and wireless MMCX to N type cable

Mobile deviceLinux

Windows

Pocket PC

Wireless cardOrinoco cardPrism 2 card

Driver for promiscuous modeCantenna and wireless MMCX to N type cable

Increasing the transmission rangeIncreasing the transmission range

200 km

DEFCON 2005WiFi Shootout

•Large dishes

•High power levels

•Line-of-sight

Bringing the “War” to War DrivingBringing the “War” to War Driving

ToolsTools

NetStumbler—access point reconnaissancehttp://www.netstumbler.com

WEPCrack—breaks 802.11 keyshttp://wepcrack.sourceforge.net/

AirSnort—breaks 802.11 keysNeeds only 5-10 million packets

http://airsnort.shmoo.com/

chopper Released August 2004Reduces number of necessary packets to 200-500 thousand

Aircrack, Airopeek, Airsnare, Airmagnet, Airjack, Aerosol, Kismet, Packetyzer, NAI Sniffer, Retina WiFi Scanner…

NetStumbler—access point reconnaissancehttp://www.netstumbler.com

WEPCrack—breaks 802.11 keyshttp://wepcrack.sourceforge.net/

AirSnort—breaks 802.11 keysNeeds only 5-10 million packets

http://airsnort.shmoo.com/

chopper Released August 2004Reduces number of necessary packets to 200-500 thousand

Aircrack, Airopeek, Airsnare, Airmagnet, Airjack, Aerosol, Kismet, Packetyzer, NAI Sniffer, Retina WiFi Scanner…

NetStumbler screen capture – Downtown SacramentoNetStumbler screen capture – Downtown Sacramento

WiFiFoFumWiFiFoFum

Airsnort cracked the WEP key – About 16 hoursAirsnort cracked the WEP key – About 16 hours

chopper reduces by an order of magnitude

Ten-minute WEP crackTen-minute WEP crack

Kismetreconnaissance

AirodumpWEP cracking

Void11deauth attack

Aireplayreplay attack

Kismetreconnaissance

AirodumpWEP cracking

Void11deauth attack

Aireplayreplay attack

Source: tom’s networking

Wireless LAN security evolutionWireless LAN security evolution

1999 2003 2005+

WEPWEP

WPAWPA

802.11i /WPA2

802.11i /WPA2

Timeline

Privacy: 40 bit RC4 with 24 bit IV

Auth: SSID and Shared key

Integrity: CRC

Privacy: Per packet keying (RC4) with 48 bit IV

Auth: 802.1x+ EAP

Integrity: MIC

Privacy: AES

Auth: 802.1x+ EAP

Integrity: MIC

Secu

rity

WiFi Protect Access (WPA)Temporal Key Integrity Protocol

Fast/Per packet keying, Message Integrity Check

WPA-PersonalWPA-Enterprise

IEEE 802.1x ExplanationIEEE 802.1x Explanation

Supplicant Authentication Server

Authenticator

Restricts physical access to the WLAN

Can use existing authentication system

Restricts physical access to the WLAN

Can use existing authentication system

Client Access Point RADIUS Server

RADIUS802.1xEAP EAP

TKIP / MIC

Ratified June 2004AES selected by National Institute of Standards and Technology (NIST) as replacement for DES

Symmetric-key block cipherComputationally efficientCan use large keys (> 1024 bits)

Cipher Block Chaining Message Authentication Code (CBC-MAC or CCMP) complements TKIP

RFC 3610

May require equipment upgradesSome WPA implementations already support AES

Update for Windows XP (KB893357)

Ratified June 2004AES selected by National Institute of Standards and Technology (NIST) as replacement for DES

Symmetric-key block cipherComputationally efficientCan use large keys (> 1024 bits)

Cipher Block Chaining Message Authentication Code (CBC-MAC or CCMP) complements TKIP

RFC 3610

May require equipment upgradesSome WPA implementations already support AES

Update for Windows XP (KB893357)

802.11i / WPA2802.11i / WPA2

Enterprise WLAN Security OptionsEnterprise WLAN Security Options

WPA – EnterpriseEventual transition to 802.11iRequires WPA-compliant APs and NICs

VPN OverlayPerformance overhead (20-30%)VPN Concentrator required

RBACAdditional appliance and infrastructureMost refined access

Home WLAN: WEP key rotation, firewall, intrusion detection

Public WLAN: MAC address filter, secure billing, VPN passthrough

WPA – EnterpriseEventual transition to 802.11iRequires WPA-compliant APs and NICs

VPN OverlayPerformance overhead (20-30%)VPN Concentrator required

RBACAdditional appliance and infrastructureMost refined access

Home WLAN: WEP key rotation, firewall, intrusion detection

Public WLAN: MAC address filter, secure billing, VPN passthrough

Rogue Access PointsRogue Access Points

Highest risk when WLANs are NOT implemented

Usually completely unsecured

Connected by naïve (rather than malicious) users

Intrusion Detection Products Manual, Sensors, Infrastructure

Multi-layer perimeters802.1x

RBAC, VPN

Highest risk when WLANs are NOT implemented

Usually completely unsecured

Connected by naïve (rather than malicious) users

Intrusion Detection Products Manual, Sensors, Infrastructure

Multi-layer perimeters802.1x

RBAC, VPN InternetIntranetAccess

Air Interfaces:WWAN

Wireless WAN (Wide Area Network)Wireless WAN (Wide Area Network)

GSM, GPRS, HSCSD, EDGE, UMTSCDMA 1XRTT, EV-DO,EV-DV, 3X802.16, 802.202G -> 2.5G -> 3G -> 4GBandwidth 9.6kbps - <2Mbps Large geographical coverage International coverage through roaming

GSM, GPRS, HSCSD, EDGE, UMTSCDMA 1XRTT, EV-DO,EV-DV, 3X802.16, 802.202G -> 2.5G -> 3G -> 4GBandwidth 9.6kbps - <2Mbps Large geographical coverage International coverage through roaming

GPRS phone

GPRS iPAQ

e-mailpager

GSM/GPRSPC card

http://h18004.www1.hp.com/products/wireless/wwan/WWAN-Security.pdf

Mobile Network ScenariosMobile Network Scenarios

1

1 2

24 PAN Zone

WLAN Zone

3G ZoneGPRS Zone

Surfing: Person 1 improves bandwidth by moving into a 3G area

MP3 Download: Person 2 saves time and money by scheduling the download in a public WLAN hotspot

Peer-to-peer: Person 3 sends an MP3 file over a Bluetooth link free of charge to Person 4

3

SatelliteZone

At sea: Person 5 maintains coverage via satellite after leaving GPRS range

55

Columbitech

Birdstep

Ecutel

Unauthorized Wireless BridgeUnauthorized Wireless Bridge

Private LAN

Public Network

Perimeter Security

Binary Access Insufficient

Health checks become mandatory (NAP)Complete Access Layer secured (e.g. 802.1x)

Binary Access Insufficient

Health checks become mandatory (NAP)Complete Access Layer secured (e.g. 802.1x)

Refined Network AccessRefined Network Access

Role-based Access ControlRole-based Access Control

BluesocketPerfigo (Cisco)Cranite

BluesocketPerfigo (Cisco)Cranite

ArubaHP ProCurve (Vernier)

ArubaHP ProCurve (Vernier)

Role

Schedule

Location

UserAccessControl

IP Address PortTime

VLAN

Network CompartmentalizationNetwork Compartmentalization

Virus Throttling

Adaptive Network Architecture

SummarySummary

Security concerns are the greatest inhibitor to mobilityWireless networks and devices introduce new risksSome mobile security (e.g. WLAN) has been inadequateThe industry has since recognized and addressed the main threatsThe key to mobile security is a thorough reevaluation of existing security

Security concerns are the greatest inhibitor to mobilityWireless networks and devices introduce new risksSome mobile security (e.g. WLAN) has been inadequateThe industry has since recognized and addressed the main threatsThe key to mobile security is a thorough reevaluation of existing security

Questions?Questions?

Contact me at: john.rhoton@hp.com