Presentation is loading. Please wait.

Presentation is loading. Please wait.

IGillottResearch An Introduction to Wireless Security WebCast Iain Gillott Charul Vyas April 23, 2002.

Published byLora Daniel Modified over 8 years ago

Similar presentations

Presentation on theme: "IGillottResearch An Introduction to Wireless Security WebCast Iain Gillott Charul Vyas April 23, 2002."— Presentation transcript:

1 iGillottResearch An Introduction to Wireless Security WebCast Iain Gillott Charul Vyas April 23, 2002

2 iGillottResearch www.igillottresearch.com Agenda Security Basics Mobile Security Why is Mobile Security important? Can we have too much security? Authentication WLAN Security Recommendations

3 iGillottResearch www.igillottresearch.com Security Basics AAA Authentication, Authorization, Auditing Identity of an end user is verified e.g. biometric Remote access dial-in user service (RADIUS) is the best known and most widely used AAA protocol Nonrepudiation In the physical world, nonrepudiation is achieved through handwritten signatures Digital signatures — a string of unique bits attached to a message — fill that need The challenge is that there is very little legal recognition yet for digital signatures. Encryption Process of encoding information in such a way as to make it inaccessible

4 iGillottResearch www.igillottresearch.com Security Basics … PKI Digital certificates (“certs”) are electronic credentials that bind the identity of a certificate owner to a pair (public and private) of electronic keys that can be used to encrypt and sign digital information Not an end all security method because digital certificates from different vendors do not interoperate Wireless PKI Issue is limited UIs, processors, bandwidth, memory, battery life on mobile devices Limited effectiveness of PKI

5 iGillottResearch www.igillottresearch.com Security Basics … IPSec IP security Implemented at the IP layer (Layer 3 of the OSI Model) Creates secure tunnels between users and/or hosts Encapsulates each data packet in a new packet Contains the information necessary to set up, maintain and tear down the tunnel when it is no longer needed Designed to provide VPN technology and connectivity SSL Secure Sockets Layer Very effective in securing communications in an open user group Originally developed by Netscape Adopted by the IETF as the transport layer security (TLS) protocol WAP Forum has incorporated a modified version of SSL/TLS technology into its WAP specification, calling it wireless TLS (WTLS)

6 iGillottResearch www.igillottresearch.com Mobile Security Why is Mobile Security Important? Recent proliferation of wireless data capable devices Enterprises and individuals are beginning to make use of wireless data Access corporate data and applications Wireless is a shared medium Inherently less secure than conventional wireline connectivity Steps need to be taken to ensure the privacy and authentication of data transmitted Security becoming increasingly important to enterprises Security concerns are sited as a main reason why companies do not mobile In many cases, perception of problem greater than the actual problem

7 iGillottResearch www.igillottresearch.com Why is Security Lacking? Problems with mobile and portable solutions Two main issues: Lack of user authentication to the device and/or network Lack of encryption or sufficiently strong encryption to deter motivated intruders Good security starts with four basic principles: AAA (authentication, authorization and auditing), integrity, privacy and nonrepudiation Besides the authentication issues, wireless suffers from lack of strong encryption, or lack of any type of encryption at all

8 iGillottResearch www.igillottresearch.com Can we have too much Security? Problem is that we can make a solution so secure it is unusable If need a PIN, blood sample, retina scan and PKI just to check a bank balance, few will use the application Only the User can decide what level of security is appropriate for specific applications Security profiles therefore need to be portable …and flexible

9 iGillottResearch www.igillottresearch.com WAP and WTLS WAP security is provided by the wireless transport layer security (WTLS) protocol Based on SSL Optimized for use in the high latency, low bandwidth wireless networks Provides data integrity, confidentiality/privacy, and authentication WTLS has three different classes: Class 1 Uses an unauthenticated Diffie-Hellman key exchange to establish the session key Class 2 Forces server-side authentication using public key certificates WTLS certificate used by WAP is “thinner,” having been optimized for use on wireless networks Class 3 Implements the server-to- client/client-to-server mutual authentication that is optionally used in SSL

10 iGillottResearch www.igillottresearch.com The WAP Gap Two legs on the data path from a WAP handset through gateway to content server From the content provider to the WAP gateway in the carrier network via IP and SSL From the carrier WAP gateway to the handset via WAP and WTLS The WAP gap is the result of having to convert between WTLS and SSL WAP Forum responded by removing the WAP gap in version 2.0 through the use of: Dynamic proxy navigation (DPN) Manual proxy navigation (MPN)

11 iGillottResearch www.igillottresearch.com Viruses There have been few instances of viruses that targeted wireless devices One Palm OS No real viruses on the Symbian OS No known malware for Windows Pocket PC devices Yet … As more smart devices enter the market it is likely that more viruses will spring up Just as broadband wireline connectivity allows always-on access, so too will IP-enabled phones … Such exposure in the wireline world means that personal firewall software on the modem/PC is a must … It is reasonable to expect such firewall applications will be needed on IP phones

12 iGillottResearch www.igillottresearch.com Authentication Robust user authentication will help solve many of the problems discussed Accomplished via a variety of methods: Strong username/password access implemented consistently across all devices deployed by the enterprise Use of token-based access, such as SecurID Requires live access to the SecurID server so the entered PIN can be matched against the server’s expectations Biometric solutions integrated into the device itself or on a smart card PKI could also be implemented on the smart card and phone/device, with key exchange and certificate validation happening when the card is inserted into the phone The best user authentication is two-factor based Username/password in combination with a token; or with biometrics

13 iGillottResearch www.igillottresearch.com WLAN Security Security Flaws PKI can be used to address the failing of 802.11b’s security mechanism, wired equivalent privacy (WEP) WEP is flawed because Algorithm itself uses too short a key - 40-bits Keys are shared between the client and its access point Basic WEP contains no provision for the secure distribution and management of those keys Fixes IPsec VPNs are the best and easiest way to secure WLANs Security can be extended to a local domain of WLAN users as well as to those users that remotely access the network IPsec also contains standard provisions for key distribution and management

14 iGillottResearch www.igillottresearch.com WLAN Security … Authentication IEEE is currently working on the 802.1x standard which incorporates extensible authentication protocol (EAP) support into 802.11 networks As a result, WLANs can use RADIUS servers, quite often already deployed within an enterprise, to authenticate users

15 iGillottResearch www.igillottresearch.com Recommendations No one can guarantee airtight security Enterprises can take steps to increase security Should not be an issue that stops wireless solution implementation Recommendations: Adopt and enforce a corporate-wide policy governing the use of mobile devices Selected devices should contain support for current security/technology standards User-to-device/user-to- network authentication technology is available and should be deployed Understand that deployment of wireless PKI, in either a mobile and/or portable environment, is a risky Security fixed from one WLAN provider many not carry over to another vendor Consider IPsec VPNs as a way to secure the WLAN

16 iGillottResearch www.igillottresearch.com Recommendations … Test the hackers weapons against the network Do not allow employees to install their own WLANs For Wireless Vendors Does your solution support the necessary security? Security is a long term issue As IP networks and devices proliferate, new issues will arise Management of physical device Management of keys, etc Nework management Virus protection RADIUS management

17 iGillottResearch www.igillottresearch.com Questions? Iain GillottCharul Vyas (512) 301-1675(512) 383-9091 iain@igillottresearch.com charulv@igillottresearch.com

Download ppt "IGillottResearch An Introduction to Wireless Security WebCast Iain Gillott Charul Vyas April 23, 2002."

Similar presentations

Encrypting Wireless Data with VPN Techniques

Encrypting Wireless Data with VPN Techniques
CHAPTER 8: SECURITY IN COMPUTER NETWORKS Encryption Encryption Authentication Authentication E-Mail Security E-Mail Security Secure Sockets Layer Secure.

CHAPTER 8: SECURITY IN COMPUTER NETWORKS Encryption Encryption Authentication Authentication Security Security Secure Sockets Layer Secure.
1.1 © 2004 Pearson Education, Inc. Exam 70-290 Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 1: Introducing Windows Server.

1.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 1: Introducing Windows Server.
1 Pertemuan 12 Authentication, Encryption, Digital Payments, and Digital Money Matakuliah: M0284/Teknologi & Infrastruktur E-Business Tahun: 2005 Versi:

1 Pertemuan 12 Authentication, Encryption, Digital Payments, and Digital Money Matakuliah: M0284/Teknologi & Infrastruktur E-Business Tahun: 2005 Versi:
Lab4 Part2 Lau Ting Nga Virginia Tsang Pui Yu Wong Sin Man.

Lab4 Part2 Lau Ting Nga Virginia Tsang Pui Yu Wong Sin Man.
Encryption and Firewalls Chapter 7. Learning Objectives Understand the role encryption plays in firewall architecture Know how digital certificates work.

Encryption and Firewalls Chapter 7. Learning Objectives Understand the role encryption plays in firewall architecture Know how digital certificates work.
Introduction to PKI Seminar What is PKI? Robert Brentrup July 13, 2004.

Introduction to PKI Seminar What is PKI? Robert Brentrup July 13, 2004.
A Security Pattern for a Virtual Private Network Ajoy Kumar and Eduardo B. Fernandez Dept. of Computer Science and Eng. Florida Atlantic University Boca.

A Security Pattern for a Virtual Private Network Ajoy Kumar and Eduardo B. Fernandez Dept. of Computer Science and Eng. Florida Atlantic University Boca.
K. Salah 1 Chapter 31 Security in the Internet. K. Salah 2 Figure 31.5 Position of TLS Transport Layer Security (TLS) was designed to provide security.

K. Salah 1 Chapter 31 Security in the Internet. K. Salah 2 Figure 31.5 Position of TLS Transport Layer Security (TLS) was designed to provide security.
Lesson 11-Virtual Private Networks. Overview Define Virtual Private Networks (VPNs). Deploy User VPNs. Deploy Site VPNs. Understand standard VPN techniques.

Lesson 11-Virtual Private Networks. Overview Define Virtual Private Networks (VPNs). Deploy User VPNs. Deploy Site VPNs. Understand standard VPN techniques.
Business Data Communications, Fourth Edition Chapter 10: Network Security.

Business Data Communications, Fourth Edition Chapter 10: Network Security.
Mobile and Wireless Security INF245 Guest lecture 17.10.2007 by Bjorn Jager Molde University College.

Mobile and Wireless Security INF245 Guest lecture by Bjorn Jager Molde University College.
Faten Yahya Ismael.  It is technology creates a network that is physically public, but virtually it’s private.  A virtual private network (VPN) is a.

Faten Yahya Ismael.  It is technology creates a network that is physically public, but virtually it’s private.  A virtual private network (VPN) is a.
Network and Internet Security

Network and Internet Security
EAP Overview (Extensible Authentication Protocol) Team Golmaal: Vaibhav Sharma Vineet Banga Manender Verma Lovejit Sandhu Abizar Attar.

EAP Overview (Extensible Authentication Protocol) Team Golmaal: Vaibhav Sharma Vineet Banga Manender Verma Lovejit Sandhu Abizar Attar.
Lecture 12 Electronic Business (MGT-485). Recap – Lecture 11 E-Commerce Security Environment Security Threats in E-commerce Technology Solutions.

Lecture 12 Electronic Business (MGT-485). Recap – Lecture 11 E-Commerce Security Environment Security Threats in E-commerce Technology Solutions.
Chapter 10: Authentication Guide to Computer Network Security.

Chapter 10: Authentication Guide to Computer Network Security.
Chapter 2 Information Security Overview The Executive Guide to Information Security manual.

Chapter 2 Information Security Overview The Executive Guide to Information Security manual.
RSA Security Validating Users and Devices to Protect Network Assets Endpoint Solutions for Cisco Environments.

RSA Security Validating Users and Devices to Protect Network Assets Endpoint Solutions for Cisco Environments.
SYSTEM ADMINISTRATION Chapter 13 Security Protocols.

SYSTEM ADMINISTRATION Chapter 13 Security Protocols.

Similar presentations

Ads by Google