Upload
john-rhoton
View
2.652
Download
3
Embed Size (px)
DESCRIPTION
Microsoft Mobile & Embedded DevCon, Las Vegas, 2007
Citation preview
Windows Mobile Enterprise Security Best practices
Windows Mobile Enterprise Security Best practicesJohn RhotonMobile Technology LeadHP Services
John RhotonMobile Technology LeadHP Services
But just what is mobility ?But just what is mobility ?But just what is mobility ?But just what is mobility ?
Devices:Mobility = Mobile phones?
Mobility = Smart phones?
Mobility = PDAs ?
Wireless:Mobility = Wireless LANs?
Mobility = GSM/GPRS?
Applications:Mobility = Form-factor adaptation?
Mobility = Synchronisation?
Devices:Mobility = Mobile phones?
Mobility = Smart phones?
Mobility = PDAs ?
Wireless:Mobility = Wireless LANs?
Mobility = GSM/GPRS?
Applications:Mobility = Form-factor adaptation?
Mobility = Synchronisation?
management
Facets of Mobile SecurityFacets of Mobile Security
devicesdevices
airtransmissions
PANLANWAN
airtransmissions
PANLANWAN
publicnetworks
publicnetworks
private networksprivate
networks
applications
mobility wireless traditional security
11 22
3 VPN3 VPN
44
AgendaAgenda
1. Mobile devices2. Air interfaces
Bluetooth, 802.11b, WWAN3. Remote Access
Tunnels (VPNs), Roaming4. Perimeter Security
Compartmentalization, Access Controls
1. Mobile devices2. Air interfaces
Bluetooth, 802.11b, WWAN3. Remote Access
Tunnels (VPNs), Roaming4. Perimeter Security
Compartmentalization, Access Controls
11 22
3 3
44
Device Security
(Windows Mobile)
Threats to Mobile DevicesThreats to Mobile DevicesStolen information
Host intrusion, stolen device
Unauthorized network/application accessCompromised credentials, host intrusion
Virus propagationVirus susceptibility
Lost informationLost, stolen or damaged device
Stolen informationHost intrusion, stolen device
Unauthorized network/application accessCompromised credentials, host intrusion
Virus propagationVirus susceptibility
Lost informationLost, stolen or damaged device
Mabir
Win CE DUTS Win CE
BRADOR
29Dec041Feb05
Locknut (Gavno)
Vlasco
21Nov04
Skulls
20June04
Cabir
17Jul04
5Aug048Mar05
Comwar
7Mar05
Dampig
12Aug04
Qdial
4Apr05
Fontal
6Apr05
Drever
18Mar05
Hobbes
15Apr05
Doomed
4Jul05
= Symbian OS (Nokia, etc)
= Windows CE (HP, etc)
Source: Trend Micro
Mobile Device Security ManagementMobile Device Security Management
Platform selection and configurationPolicy enforcement
Passwords
Device lock
Policy updates
User supportDevice lockout
Backup/restore
Platform selection and configurationPolicy enforcement
Passwords
Device lock
Policy updates
User supportDevice lockout
Backup/restore
Security
Usability
Windows Mobile Content ProtectionAccess Control Approaches
Windows Mobile Content ProtectionAccess Control ApproachesSimple Lock-out
EncryptionPrivate key storage?Smartcard / TPMHash private key (dictionary attack)
Couple with strong password policies
Prevent insecure bootAnalogous to BIOS password and Drivelock
Choice depends onSensitivity of dataSustainable impact on usability and performanceTrust in user password selection
Simple Lock-outEncryption
Private key storage?Smartcard / TPMHash private key (dictionary attack)
Couple with strong password policies
Prevent insecure bootAnalogous to BIOS password and Drivelock
Choice depends onSensitivity of dataSustainable impact on usability and performanceTrust in user password selection
iPAQ Content ProtectionAccess Control SolutionsiPAQ Content ProtectionAccess Control Solutions
Native Pocket PCBiometric AuthenticationHP ProtectToolsPointsecCredant
Native Pocket PCBiometric AuthenticationHP ProtectToolsPointsecCredant
Enterprise RequirementsEnterprise Requirements
Integrated Management ConsoleDirectory (AD/LDAP) integration
Centralized PoliciesPolicy pollingUser cannot removeScreen-lock / Idle-lock
Integrated Management ConsoleDirectory (AD/LDAP) integration
Centralized PoliciesPolicy pollingUser cannot removeScreen-lock / Idle-lock
MSFPMessaging and Security Feature Pack
MSFPMessaging and Security Feature PackExchange 2003 SP2
Windows Mobile 5.0(Persistent Storage)
S/MIMECertificate-based AuthenticationPolicy EnforcementLocal wipeRemote wipe
Exchange 2003 SP2Windows Mobile 5.0(Persistent Storage)
S/MIMECertificate-based AuthenticationPolicy EnforcementLocal wipeRemote wipe
Summary of Access ControlSummary of Access Control
CredantCentralized ManagementAdopted by HP ITPersonal Edition bundled with iPAQ
PointsecCentralized ManagementMulti-platform
Windows Mobile and Windows (Full Disk Encryption)
HP ProtectToolsNo encryptionGovernment certificationSecure boot
Mobile Device Security and Mobile Device Management are tightly connected in a comprehensive enterprise solution!
CredantCentralized ManagementAdopted by HP ITPersonal Edition bundled with iPAQ
PointsecCentralized ManagementMulti-platform
Windows Mobile and Windows (Full Disk Encryption)
HP ProtectToolsNo encryptionGovernment certificationSecure boot
Mobile Device Security and Mobile Device Management are tightly connected in a comprehensive enterprise solution!
Air Interfaces:Bluetooth
Pairing & AuthenticationPairing & Authentication
Pairing
Access to both devices
Manual input of security code ("PIN")
No need to store or remember
Access to both devices
Manual input of security code ("PIN")
No need to store or remember
Based on stored keysNo user intervention
Authentication
Bluetooth SecurityBluetooth Security
Acceptable Security AlgorithmsInitialization
Authentication
Encryption
Prevention of Discoverability, Connectability and
PairingProximity Requirement
Acceptable Security AlgorithmsInitialization
Authentication
Encryption
Prevention of Discoverability, Connectability and
PairingProximity Requirement
KADA
B
C
D
MKMC
KMAKMD
KMB
Multi-tiered securityMulti-tiered security
PIN AttackOften hard-coded
Usually short (4-digit)
BluejackingBluesnarfingVirus Propagation
Centralized Policy Management is critical in the Enterprise !!
PIN AttackOften hard-coded
Usually short (4-digit)
BluejackingBluesnarfingVirus Propagation
Centralized Policy Management is critical in the Enterprise !!
Bluetooth vulnerabilityBluetooth vulnerability
Air Interfaces:WLAN
SSID
MAC Filter
WEP
WPA/802.11i
Needs determine securityNeeds determine security
Requires management of authorized MAC addressesLAA (Locally Administered Address) can override UAA (Universally Administered Address)
Requires management of authorized MAC addressesLAA (Locally Administered Address) can override UAA (Universally Administered Address)
MAC FiltersMAC Filters
Equipment of a Wi-Fi freeloaderEquipment of a Wi-Fi freeloader
Mobile deviceLinux
Windows
Pocket PC
Wireless cardOrinoco cardPrism 2 card
Driver for promiscuous modeCantenna and wireless MMCX to N type cable
Mobile deviceLinux
Windows
Pocket PC
Wireless cardOrinoco cardPrism 2 card
Driver for promiscuous modeCantenna and wireless MMCX to N type cable
Increasing the transmission rangeIncreasing the transmission range
200 km
DEFCON 2005WiFi Shootout
•Large dishes
•High power levels
•Line-of-sight
Bringing the “War” to War DrivingBringing the “War” to War Driving
ToolsTools
NetStumbler—access point reconnaissancehttp://www.netstumbler.com
WEPCrack—breaks 802.11 keyshttp://wepcrack.sourceforge.net/
AirSnort—breaks 802.11 keysNeeds only 5-10 million packets
http://airsnort.shmoo.com/
chopper Released August 2004Reduces number of necessary packets to 200-500 thousand
Aircrack, Airopeek, Airsnare, Airmagnet, Airjack, Aerosol, Kismet, Packetyzer, NAI Sniffer, Retina WiFi Scanner…
NetStumbler—access point reconnaissancehttp://www.netstumbler.com
WEPCrack—breaks 802.11 keyshttp://wepcrack.sourceforge.net/
AirSnort—breaks 802.11 keysNeeds only 5-10 million packets
http://airsnort.shmoo.com/
chopper Released August 2004Reduces number of necessary packets to 200-500 thousand
Aircrack, Airopeek, Airsnare, Airmagnet, Airjack, Aerosol, Kismet, Packetyzer, NAI Sniffer, Retina WiFi Scanner…
NetStumbler screen capture – Downtown SacramentoNetStumbler screen capture – Downtown Sacramento
WiFiFoFumWiFiFoFum
Airsnort cracked the WEP key – About 16 hoursAirsnort cracked the WEP key – About 16 hours
chopper reduces by an order of magnitude
Ten-minute WEP crackTen-minute WEP crack
Kismetreconnaissance
AirodumpWEP cracking
Void11deauth attack
Aireplayreplay attack
Kismetreconnaissance
AirodumpWEP cracking
Void11deauth attack
Aireplayreplay attack
Source: tom’s networking
Wireless LAN security evolutionWireless LAN security evolution
1999 2003 2005+
WEPWEP
WPAWPA
802.11i /WPA2
802.11i /WPA2
Timeline
Privacy: 40 bit RC4 with 24 bit IV
Auth: SSID and Shared key
Integrity: CRC
Privacy: Per packet keying (RC4) with 48 bit IV
Auth: 802.1x+ EAP
Integrity: MIC
Privacy: AES
Auth: 802.1x+ EAP
Integrity: MIC
Secu
rity
WiFi Protect Access (WPA)Temporal Key Integrity Protocol
Fast/Per packet keying, Message Integrity Check
WPA-PersonalWPA-Enterprise
IEEE 802.1x ExplanationIEEE 802.1x Explanation
Supplicant Authentication Server
Authenticator
Restricts physical access to the WLAN
Can use existing authentication system
Restricts physical access to the WLAN
Can use existing authentication system
Client Access Point RADIUS Server
RADIUS802.1xEAP EAP
TKIP / MIC
Ratified June 2004AES selected by National Institute of Standards and Technology (NIST) as replacement for DES
Symmetric-key block cipherComputationally efficientCan use large keys (> 1024 bits)
Cipher Block Chaining Message Authentication Code (CBC-MAC or CCMP) complements TKIP
RFC 3610
May require equipment upgradesSome WPA implementations already support AES
Update for Windows XP (KB893357)
Ratified June 2004AES selected by National Institute of Standards and Technology (NIST) as replacement for DES
Symmetric-key block cipherComputationally efficientCan use large keys (> 1024 bits)
Cipher Block Chaining Message Authentication Code (CBC-MAC or CCMP) complements TKIP
RFC 3610
May require equipment upgradesSome WPA implementations already support AES
Update for Windows XP (KB893357)
802.11i / WPA2802.11i / WPA2
Enterprise WLAN Security OptionsEnterprise WLAN Security Options
WPA – EnterpriseEventual transition to 802.11iRequires WPA-compliant APs and NICs
VPN OverlayPerformance overhead (20-30%)VPN Concentrator required
RBACAdditional appliance and infrastructureMost refined access
Home WLAN: WEP key rotation, firewall, intrusion detection
Public WLAN: MAC address filter, secure billing, VPN passthrough
WPA – EnterpriseEventual transition to 802.11iRequires WPA-compliant APs and NICs
VPN OverlayPerformance overhead (20-30%)VPN Concentrator required
RBACAdditional appliance and infrastructureMost refined access
Home WLAN: WEP key rotation, firewall, intrusion detection
Public WLAN: MAC address filter, secure billing, VPN passthrough
Rogue Access PointsRogue Access Points
Highest risk when WLANs are NOT implemented
Usually completely unsecured
Connected by naïve (rather than malicious) users
Intrusion Detection Products Manual, Sensors, Infrastructure
Multi-layer perimeters802.1x
RBAC, VPN
Highest risk when WLANs are NOT implemented
Usually completely unsecured
Connected by naïve (rather than malicious) users
Intrusion Detection Products Manual, Sensors, Infrastructure
Multi-layer perimeters802.1x
RBAC, VPN InternetIntranetAccess
Air Interfaces:WWAN
Wireless WAN (Wide Area Network)Wireless WAN (Wide Area Network)
GSM, GPRS, HSCSD, EDGE, UMTSCDMA 1XRTT, EV-DO,EV-DV, 3X802.16, 802.202G -> 2.5G -> 3G -> 4GBandwidth 9.6kbps - <2Mbps Large geographical coverage International coverage through roaming
GSM, GPRS, HSCSD, EDGE, UMTSCDMA 1XRTT, EV-DO,EV-DV, 3X802.16, 802.202G -> 2.5G -> 3G -> 4GBandwidth 9.6kbps - <2Mbps Large geographical coverage International coverage through roaming
GPRS phone
GPRS iPAQ
e-mailpager
GSM/GPRSPC card
http://h18004.www1.hp.com/products/wireless/wwan/WWAN-Security.pdf
Mobile Network ScenariosMobile Network Scenarios
1
1 2
24 PAN Zone
WLAN Zone
3G ZoneGPRS Zone
Surfing: Person 1 improves bandwidth by moving into a 3G area
MP3 Download: Person 2 saves time and money by scheduling the download in a public WLAN hotspot
Peer-to-peer: Person 3 sends an MP3 file over a Bluetooth link free of charge to Person 4
3
SatelliteZone
At sea: Person 5 maintains coverage via satellite after leaving GPRS range
55
Columbitech
Birdstep
Ecutel
Unauthorized Wireless BridgeUnauthorized Wireless Bridge
Private LAN
Public Network
Perimeter Security
Binary Access Insufficient
Health checks become mandatory (NAP)Complete Access Layer secured (e.g. 802.1x)
Binary Access Insufficient
Health checks become mandatory (NAP)Complete Access Layer secured (e.g. 802.1x)
Refined Network AccessRefined Network Access
Role-based Access ControlRole-based Access Control
BluesocketPerfigo (Cisco)Cranite
BluesocketPerfigo (Cisco)Cranite
ArubaHP ProCurve (Vernier)
ArubaHP ProCurve (Vernier)
Role
Schedule
Location
UserAccessControl
IP Address PortTime
VLAN
Network CompartmentalizationNetwork Compartmentalization
Virus Throttling
Adaptive Network Architecture
SummarySummary
Security concerns are the greatest inhibitor to mobilityWireless networks and devices introduce new risksSome mobile security (e.g. WLAN) has been inadequateThe industry has since recognized and addressed the main threatsThe key to mobile security is a thorough reevaluation of existing security
Security concerns are the greatest inhibitor to mobilityWireless networks and devices introduce new risksSome mobile security (e.g. WLAN) has been inadequateThe industry has since recognized and addressed the main threatsThe key to mobile security is a thorough reevaluation of existing security
Questions?Questions?
Contact me at: [email protected]