Windows Mobile Enterprise Security Best Practices
-
Upload
john-rhoton -
Category
Technology
-
view
2.653 -
download
3
description
Transcript of Windows Mobile Enterprise Security Best Practices
![Page 1: Windows Mobile Enterprise Security Best Practices](https://reader034.fdocuments.us/reader034/viewer/2022051513/546c251baf795980298b4ece/html5/thumbnails/1.jpg)
Windows Mobile Enterprise Security Best practices
Windows Mobile Enterprise Security Best practicesJohn RhotonMobile Technology LeadHP Services
John RhotonMobile Technology LeadHP Services
![Page 2: Windows Mobile Enterprise Security Best Practices](https://reader034.fdocuments.us/reader034/viewer/2022051513/546c251baf795980298b4ece/html5/thumbnails/2.jpg)
But just what is mobility ?But just what is mobility ?But just what is mobility ?But just what is mobility ?
Devices:Mobility = Mobile phones?
Mobility = Smart phones?
Mobility = PDAs ?
Wireless:Mobility = Wireless LANs?
Mobility = GSM/GPRS?
Applications:Mobility = Form-factor adaptation?
Mobility = Synchronisation?
Devices:Mobility = Mobile phones?
Mobility = Smart phones?
Mobility = PDAs ?
Wireless:Mobility = Wireless LANs?
Mobility = GSM/GPRS?
Applications:Mobility = Form-factor adaptation?
Mobility = Synchronisation?
![Page 3: Windows Mobile Enterprise Security Best Practices](https://reader034.fdocuments.us/reader034/viewer/2022051513/546c251baf795980298b4ece/html5/thumbnails/3.jpg)
management
Facets of Mobile SecurityFacets of Mobile Security
devicesdevices
airtransmissions
PANLANWAN
airtransmissions
PANLANWAN
publicnetworks
publicnetworks
private networksprivate
networks
applications
mobility wireless traditional security
11 22
3 VPN3 VPN
44
![Page 4: Windows Mobile Enterprise Security Best Practices](https://reader034.fdocuments.us/reader034/viewer/2022051513/546c251baf795980298b4ece/html5/thumbnails/4.jpg)
AgendaAgenda
1. Mobile devices2. Air interfaces
Bluetooth, 802.11b, WWAN3. Remote Access
Tunnels (VPNs), Roaming4. Perimeter Security
Compartmentalization, Access Controls
1. Mobile devices2. Air interfaces
Bluetooth, 802.11b, WWAN3. Remote Access
Tunnels (VPNs), Roaming4. Perimeter Security
Compartmentalization, Access Controls
11 22
3 3
44
![Page 5: Windows Mobile Enterprise Security Best Practices](https://reader034.fdocuments.us/reader034/viewer/2022051513/546c251baf795980298b4ece/html5/thumbnails/5.jpg)
Device Security
(Windows Mobile)
![Page 6: Windows Mobile Enterprise Security Best Practices](https://reader034.fdocuments.us/reader034/viewer/2022051513/546c251baf795980298b4ece/html5/thumbnails/6.jpg)
Threats to Mobile DevicesThreats to Mobile DevicesStolen information
Host intrusion, stolen device
Unauthorized network/application accessCompromised credentials, host intrusion
Virus propagationVirus susceptibility
Lost informationLost, stolen or damaged device
Stolen informationHost intrusion, stolen device
Unauthorized network/application accessCompromised credentials, host intrusion
Virus propagationVirus susceptibility
Lost informationLost, stolen or damaged device
Mabir
Win CE DUTS Win CE
BRADOR
29Dec041Feb05
Locknut (Gavno)
Vlasco
21Nov04
Skulls
20June04
Cabir
17Jul04
5Aug048Mar05
Comwar
7Mar05
Dampig
12Aug04
Qdial
4Apr05
Fontal
6Apr05
Drever
18Mar05
Hobbes
15Apr05
Doomed
4Jul05
= Symbian OS (Nokia, etc)
= Windows CE (HP, etc)
Source: Trend Micro
![Page 7: Windows Mobile Enterprise Security Best Practices](https://reader034.fdocuments.us/reader034/viewer/2022051513/546c251baf795980298b4ece/html5/thumbnails/7.jpg)
Mobile Device Security ManagementMobile Device Security Management
Platform selection and configurationPolicy enforcement
Passwords
Device lock
Policy updates
User supportDevice lockout
Backup/restore
Platform selection and configurationPolicy enforcement
Passwords
Device lock
Policy updates
User supportDevice lockout
Backup/restore
Security
Usability
![Page 8: Windows Mobile Enterprise Security Best Practices](https://reader034.fdocuments.us/reader034/viewer/2022051513/546c251baf795980298b4ece/html5/thumbnails/8.jpg)
Windows Mobile Content ProtectionAccess Control Approaches
Windows Mobile Content ProtectionAccess Control ApproachesSimple Lock-out
EncryptionPrivate key storage?Smartcard / TPMHash private key (dictionary attack)
Couple with strong password policies
Prevent insecure bootAnalogous to BIOS password and Drivelock
Choice depends onSensitivity of dataSustainable impact on usability and performanceTrust in user password selection
Simple Lock-outEncryption
Private key storage?Smartcard / TPMHash private key (dictionary attack)
Couple with strong password policies
Prevent insecure bootAnalogous to BIOS password and Drivelock
Choice depends onSensitivity of dataSustainable impact on usability and performanceTrust in user password selection
![Page 9: Windows Mobile Enterprise Security Best Practices](https://reader034.fdocuments.us/reader034/viewer/2022051513/546c251baf795980298b4ece/html5/thumbnails/9.jpg)
iPAQ Content ProtectionAccess Control SolutionsiPAQ Content ProtectionAccess Control Solutions
Native Pocket PCBiometric AuthenticationHP ProtectToolsPointsecCredant
Native Pocket PCBiometric AuthenticationHP ProtectToolsPointsecCredant
![Page 10: Windows Mobile Enterprise Security Best Practices](https://reader034.fdocuments.us/reader034/viewer/2022051513/546c251baf795980298b4ece/html5/thumbnails/10.jpg)
Enterprise RequirementsEnterprise Requirements
Integrated Management ConsoleDirectory (AD/LDAP) integration
Centralized PoliciesPolicy pollingUser cannot removeScreen-lock / Idle-lock
Integrated Management ConsoleDirectory (AD/LDAP) integration
Centralized PoliciesPolicy pollingUser cannot removeScreen-lock / Idle-lock
![Page 11: Windows Mobile Enterprise Security Best Practices](https://reader034.fdocuments.us/reader034/viewer/2022051513/546c251baf795980298b4ece/html5/thumbnails/11.jpg)
MSFPMessaging and Security Feature Pack
MSFPMessaging and Security Feature PackExchange 2003 SP2
Windows Mobile 5.0(Persistent Storage)
S/MIMECertificate-based AuthenticationPolicy EnforcementLocal wipeRemote wipe
Exchange 2003 SP2Windows Mobile 5.0(Persistent Storage)
S/MIMECertificate-based AuthenticationPolicy EnforcementLocal wipeRemote wipe
![Page 12: Windows Mobile Enterprise Security Best Practices](https://reader034.fdocuments.us/reader034/viewer/2022051513/546c251baf795980298b4ece/html5/thumbnails/12.jpg)
Summary of Access ControlSummary of Access Control
CredantCentralized ManagementAdopted by HP ITPersonal Edition bundled with iPAQ
PointsecCentralized ManagementMulti-platform
Windows Mobile and Windows (Full Disk Encryption)
HP ProtectToolsNo encryptionGovernment certificationSecure boot
Mobile Device Security and Mobile Device Management are tightly connected in a comprehensive enterprise solution!
CredantCentralized ManagementAdopted by HP ITPersonal Edition bundled with iPAQ
PointsecCentralized ManagementMulti-platform
Windows Mobile and Windows (Full Disk Encryption)
HP ProtectToolsNo encryptionGovernment certificationSecure boot
Mobile Device Security and Mobile Device Management are tightly connected in a comprehensive enterprise solution!
![Page 13: Windows Mobile Enterprise Security Best Practices](https://reader034.fdocuments.us/reader034/viewer/2022051513/546c251baf795980298b4ece/html5/thumbnails/13.jpg)
Air Interfaces:Bluetooth
![Page 14: Windows Mobile Enterprise Security Best Practices](https://reader034.fdocuments.us/reader034/viewer/2022051513/546c251baf795980298b4ece/html5/thumbnails/14.jpg)
Pairing & AuthenticationPairing & Authentication
Pairing
Access to both devices
Manual input of security code ("PIN")
No need to store or remember
Access to both devices
Manual input of security code ("PIN")
No need to store or remember
Based on stored keysNo user intervention
Authentication
![Page 15: Windows Mobile Enterprise Security Best Practices](https://reader034.fdocuments.us/reader034/viewer/2022051513/546c251baf795980298b4ece/html5/thumbnails/15.jpg)
Bluetooth SecurityBluetooth Security
Acceptable Security AlgorithmsInitialization
Authentication
Encryption
Prevention of Discoverability, Connectability and
PairingProximity Requirement
Acceptable Security AlgorithmsInitialization
Authentication
Encryption
Prevention of Discoverability, Connectability and
PairingProximity Requirement
KADA
B
C
D
MKMC
KMAKMD
KMB
![Page 16: Windows Mobile Enterprise Security Best Practices](https://reader034.fdocuments.us/reader034/viewer/2022051513/546c251baf795980298b4ece/html5/thumbnails/16.jpg)
Multi-tiered securityMulti-tiered security
![Page 17: Windows Mobile Enterprise Security Best Practices](https://reader034.fdocuments.us/reader034/viewer/2022051513/546c251baf795980298b4ece/html5/thumbnails/17.jpg)
PIN AttackOften hard-coded
Usually short (4-digit)
BluejackingBluesnarfingVirus Propagation
Centralized Policy Management is critical in the Enterprise !!
PIN AttackOften hard-coded
Usually short (4-digit)
BluejackingBluesnarfingVirus Propagation
Centralized Policy Management is critical in the Enterprise !!
Bluetooth vulnerabilityBluetooth vulnerability
![Page 18: Windows Mobile Enterprise Security Best Practices](https://reader034.fdocuments.us/reader034/viewer/2022051513/546c251baf795980298b4ece/html5/thumbnails/18.jpg)
Air Interfaces:WLAN
![Page 19: Windows Mobile Enterprise Security Best Practices](https://reader034.fdocuments.us/reader034/viewer/2022051513/546c251baf795980298b4ece/html5/thumbnails/19.jpg)
SSID
MAC Filter
WEP
WPA/802.11i
Needs determine securityNeeds determine security
![Page 20: Windows Mobile Enterprise Security Best Practices](https://reader034.fdocuments.us/reader034/viewer/2022051513/546c251baf795980298b4ece/html5/thumbnails/20.jpg)
Requires management of authorized MAC addressesLAA (Locally Administered Address) can override UAA (Universally Administered Address)
Requires management of authorized MAC addressesLAA (Locally Administered Address) can override UAA (Universally Administered Address)
MAC FiltersMAC Filters
![Page 21: Windows Mobile Enterprise Security Best Practices](https://reader034.fdocuments.us/reader034/viewer/2022051513/546c251baf795980298b4ece/html5/thumbnails/21.jpg)
Equipment of a Wi-Fi freeloaderEquipment of a Wi-Fi freeloader
Mobile deviceLinux
Windows
Pocket PC
Wireless cardOrinoco cardPrism 2 card
Driver for promiscuous modeCantenna and wireless MMCX to N type cable
Mobile deviceLinux
Windows
Pocket PC
Wireless cardOrinoco cardPrism 2 card
Driver for promiscuous modeCantenna and wireless MMCX to N type cable
![Page 22: Windows Mobile Enterprise Security Best Practices](https://reader034.fdocuments.us/reader034/viewer/2022051513/546c251baf795980298b4ece/html5/thumbnails/22.jpg)
Increasing the transmission rangeIncreasing the transmission range
200 km
DEFCON 2005WiFi Shootout
•Large dishes
•High power levels
•Line-of-sight
![Page 23: Windows Mobile Enterprise Security Best Practices](https://reader034.fdocuments.us/reader034/viewer/2022051513/546c251baf795980298b4ece/html5/thumbnails/23.jpg)
Bringing the “War” to War DrivingBringing the “War” to War Driving
![Page 24: Windows Mobile Enterprise Security Best Practices](https://reader034.fdocuments.us/reader034/viewer/2022051513/546c251baf795980298b4ece/html5/thumbnails/24.jpg)
ToolsTools
NetStumbler—access point reconnaissancehttp://www.netstumbler.com
WEPCrack—breaks 802.11 keyshttp://wepcrack.sourceforge.net/
AirSnort—breaks 802.11 keysNeeds only 5-10 million packets
http://airsnort.shmoo.com/
chopper Released August 2004Reduces number of necessary packets to 200-500 thousand
Aircrack, Airopeek, Airsnare, Airmagnet, Airjack, Aerosol, Kismet, Packetyzer, NAI Sniffer, Retina WiFi Scanner…
NetStumbler—access point reconnaissancehttp://www.netstumbler.com
WEPCrack—breaks 802.11 keyshttp://wepcrack.sourceforge.net/
AirSnort—breaks 802.11 keysNeeds only 5-10 million packets
http://airsnort.shmoo.com/
chopper Released August 2004Reduces number of necessary packets to 200-500 thousand
Aircrack, Airopeek, Airsnare, Airmagnet, Airjack, Aerosol, Kismet, Packetyzer, NAI Sniffer, Retina WiFi Scanner…
![Page 25: Windows Mobile Enterprise Security Best Practices](https://reader034.fdocuments.us/reader034/viewer/2022051513/546c251baf795980298b4ece/html5/thumbnails/25.jpg)
NetStumbler screen capture – Downtown SacramentoNetStumbler screen capture – Downtown Sacramento
![Page 26: Windows Mobile Enterprise Security Best Practices](https://reader034.fdocuments.us/reader034/viewer/2022051513/546c251baf795980298b4ece/html5/thumbnails/26.jpg)
WiFiFoFumWiFiFoFum
![Page 27: Windows Mobile Enterprise Security Best Practices](https://reader034.fdocuments.us/reader034/viewer/2022051513/546c251baf795980298b4ece/html5/thumbnails/27.jpg)
Airsnort cracked the WEP key – About 16 hoursAirsnort cracked the WEP key – About 16 hours
chopper reduces by an order of magnitude
![Page 28: Windows Mobile Enterprise Security Best Practices](https://reader034.fdocuments.us/reader034/viewer/2022051513/546c251baf795980298b4ece/html5/thumbnails/28.jpg)
Ten-minute WEP crackTen-minute WEP crack
Kismetreconnaissance
AirodumpWEP cracking
Void11deauth attack
Aireplayreplay attack
Kismetreconnaissance
AirodumpWEP cracking
Void11deauth attack
Aireplayreplay attack
Source: tom’s networking
![Page 29: Windows Mobile Enterprise Security Best Practices](https://reader034.fdocuments.us/reader034/viewer/2022051513/546c251baf795980298b4ece/html5/thumbnails/29.jpg)
Wireless LAN security evolutionWireless LAN security evolution
1999 2003 2005+
WEPWEP
WPAWPA
802.11i /WPA2
802.11i /WPA2
Timeline
Privacy: 40 bit RC4 with 24 bit IV
Auth: SSID and Shared key
Integrity: CRC
Privacy: Per packet keying (RC4) with 48 bit IV
Auth: 802.1x+ EAP
Integrity: MIC
Privacy: AES
Auth: 802.1x+ EAP
Integrity: MIC
Secu
rity
![Page 30: Windows Mobile Enterprise Security Best Practices](https://reader034.fdocuments.us/reader034/viewer/2022051513/546c251baf795980298b4ece/html5/thumbnails/30.jpg)
WiFi Protect Access (WPA)Temporal Key Integrity Protocol
Fast/Per packet keying, Message Integrity Check
WPA-PersonalWPA-Enterprise
![Page 31: Windows Mobile Enterprise Security Best Practices](https://reader034.fdocuments.us/reader034/viewer/2022051513/546c251baf795980298b4ece/html5/thumbnails/31.jpg)
IEEE 802.1x ExplanationIEEE 802.1x Explanation
Supplicant Authentication Server
Authenticator
Restricts physical access to the WLAN
Can use existing authentication system
Restricts physical access to the WLAN
Can use existing authentication system
Client Access Point RADIUS Server
RADIUS802.1xEAP EAP
TKIP / MIC
![Page 32: Windows Mobile Enterprise Security Best Practices](https://reader034.fdocuments.us/reader034/viewer/2022051513/546c251baf795980298b4ece/html5/thumbnails/32.jpg)
Ratified June 2004AES selected by National Institute of Standards and Technology (NIST) as replacement for DES
Symmetric-key block cipherComputationally efficientCan use large keys (> 1024 bits)
Cipher Block Chaining Message Authentication Code (CBC-MAC or CCMP) complements TKIP
RFC 3610
May require equipment upgradesSome WPA implementations already support AES
Update for Windows XP (KB893357)
Ratified June 2004AES selected by National Institute of Standards and Technology (NIST) as replacement for DES
Symmetric-key block cipherComputationally efficientCan use large keys (> 1024 bits)
Cipher Block Chaining Message Authentication Code (CBC-MAC or CCMP) complements TKIP
RFC 3610
May require equipment upgradesSome WPA implementations already support AES
Update for Windows XP (KB893357)
802.11i / WPA2802.11i / WPA2
![Page 33: Windows Mobile Enterprise Security Best Practices](https://reader034.fdocuments.us/reader034/viewer/2022051513/546c251baf795980298b4ece/html5/thumbnails/33.jpg)
Enterprise WLAN Security OptionsEnterprise WLAN Security Options
WPA – EnterpriseEventual transition to 802.11iRequires WPA-compliant APs and NICs
VPN OverlayPerformance overhead (20-30%)VPN Concentrator required
RBACAdditional appliance and infrastructureMost refined access
Home WLAN: WEP key rotation, firewall, intrusion detection
Public WLAN: MAC address filter, secure billing, VPN passthrough
WPA – EnterpriseEventual transition to 802.11iRequires WPA-compliant APs and NICs
VPN OverlayPerformance overhead (20-30%)VPN Concentrator required
RBACAdditional appliance and infrastructureMost refined access
Home WLAN: WEP key rotation, firewall, intrusion detection
Public WLAN: MAC address filter, secure billing, VPN passthrough
![Page 34: Windows Mobile Enterprise Security Best Practices](https://reader034.fdocuments.us/reader034/viewer/2022051513/546c251baf795980298b4ece/html5/thumbnails/34.jpg)
Rogue Access PointsRogue Access Points
Highest risk when WLANs are NOT implemented
Usually completely unsecured
Connected by naïve (rather than malicious) users
Intrusion Detection Products Manual, Sensors, Infrastructure
Multi-layer perimeters802.1x
RBAC, VPN
Highest risk when WLANs are NOT implemented
Usually completely unsecured
Connected by naïve (rather than malicious) users
Intrusion Detection Products Manual, Sensors, Infrastructure
Multi-layer perimeters802.1x
RBAC, VPN InternetIntranetAccess
![Page 35: Windows Mobile Enterprise Security Best Practices](https://reader034.fdocuments.us/reader034/viewer/2022051513/546c251baf795980298b4ece/html5/thumbnails/35.jpg)
Air Interfaces:WWAN
![Page 36: Windows Mobile Enterprise Security Best Practices](https://reader034.fdocuments.us/reader034/viewer/2022051513/546c251baf795980298b4ece/html5/thumbnails/36.jpg)
Wireless WAN (Wide Area Network)Wireless WAN (Wide Area Network)
GSM, GPRS, HSCSD, EDGE, UMTSCDMA 1XRTT, EV-DO,EV-DV, 3X802.16, 802.202G -> 2.5G -> 3G -> 4GBandwidth 9.6kbps - <2Mbps Large geographical coverage International coverage through roaming
GSM, GPRS, HSCSD, EDGE, UMTSCDMA 1XRTT, EV-DO,EV-DV, 3X802.16, 802.202G -> 2.5G -> 3G -> 4GBandwidth 9.6kbps - <2Mbps Large geographical coverage International coverage through roaming
GPRS phone
GPRS iPAQ
e-mailpager
GSM/GPRSPC card
http://h18004.www1.hp.com/products/wireless/wwan/WWAN-Security.pdf
![Page 37: Windows Mobile Enterprise Security Best Practices](https://reader034.fdocuments.us/reader034/viewer/2022051513/546c251baf795980298b4ece/html5/thumbnails/37.jpg)
Mobile Network ScenariosMobile Network Scenarios
1
1 2
24 PAN Zone
WLAN Zone
3G ZoneGPRS Zone
Surfing: Person 1 improves bandwidth by moving into a 3G area
MP3 Download: Person 2 saves time and money by scheduling the download in a public WLAN hotspot
Peer-to-peer: Person 3 sends an MP3 file over a Bluetooth link free of charge to Person 4
3
SatelliteZone
At sea: Person 5 maintains coverage via satellite after leaving GPRS range
55
Columbitech
Birdstep
Ecutel
![Page 38: Windows Mobile Enterprise Security Best Practices](https://reader034.fdocuments.us/reader034/viewer/2022051513/546c251baf795980298b4ece/html5/thumbnails/38.jpg)
Unauthorized Wireless BridgeUnauthorized Wireless Bridge
Private LAN
Public Network
![Page 39: Windows Mobile Enterprise Security Best Practices](https://reader034.fdocuments.us/reader034/viewer/2022051513/546c251baf795980298b4ece/html5/thumbnails/39.jpg)
Perimeter Security
![Page 40: Windows Mobile Enterprise Security Best Practices](https://reader034.fdocuments.us/reader034/viewer/2022051513/546c251baf795980298b4ece/html5/thumbnails/40.jpg)
Binary Access Insufficient
Health checks become mandatory (NAP)Complete Access Layer secured (e.g. 802.1x)
Binary Access Insufficient
Health checks become mandatory (NAP)Complete Access Layer secured (e.g. 802.1x)
Refined Network AccessRefined Network Access
![Page 41: Windows Mobile Enterprise Security Best Practices](https://reader034.fdocuments.us/reader034/viewer/2022051513/546c251baf795980298b4ece/html5/thumbnails/41.jpg)
Role-based Access ControlRole-based Access Control
BluesocketPerfigo (Cisco)Cranite
BluesocketPerfigo (Cisco)Cranite
ArubaHP ProCurve (Vernier)
ArubaHP ProCurve (Vernier)
Role
Schedule
Location
UserAccessControl
IP Address PortTime
VLAN
![Page 42: Windows Mobile Enterprise Security Best Practices](https://reader034.fdocuments.us/reader034/viewer/2022051513/546c251baf795980298b4ece/html5/thumbnails/42.jpg)
Network CompartmentalizationNetwork Compartmentalization
Virus Throttling
Adaptive Network Architecture
![Page 43: Windows Mobile Enterprise Security Best Practices](https://reader034.fdocuments.us/reader034/viewer/2022051513/546c251baf795980298b4ece/html5/thumbnails/43.jpg)
SummarySummary
Security concerns are the greatest inhibitor to mobilityWireless networks and devices introduce new risksSome mobile security (e.g. WLAN) has been inadequateThe industry has since recognized and addressed the main threatsThe key to mobile security is a thorough reevaluation of existing security
Security concerns are the greatest inhibitor to mobilityWireless networks and devices introduce new risksSome mobile security (e.g. WLAN) has been inadequateThe industry has since recognized and addressed the main threatsThe key to mobile security is a thorough reevaluation of existing security