background image

Wireless Security White Paper 

 

Introduction 

Wireless networks connect computers in offices or homes to other computers, or to devices such 
as printers, by using radio or infrared signals instead of cables and jacks. Since wireless networks 
dispense with cables, users connected to wireless computer networks (or wirelessly connected to 
computer networks) can roam around with the machines they use to gain access to such networks. 
This ability to function in "untethered" mode is a great convenience. 

Users and corporations are using wireless technologies at astonishing rates to take advantage of 
the benefits of wireless-enabled productivity to gain and maintain a competitive edge. Market 
researcher Cahners In-Stat estimates that 6.2 million wireless devices will be shipped worldwide 
this year (2001), and double that in two years.

1

 

The pervasiveness of sending and receiving data via wireless networks to the Internet and 
corporate intranets has presented users of access devices and corporations with new concerns 
about vulnerability to security breaches. Wireless access technologies have been called "one of 
the newest and potentially most dangerous security holes in U.S. business."

2

 Experts estimate that 

most of the wireless networks in operation today have no security whatsoever. This is so in part 
because many users are not aware of specific security vulnerabilities or don’t understand the 
magnitude of potential loss and, therefore, do not put the appropriate measures in place. This 
paper will look at the pieces of the “pipe” of access from the device to the corporate firewall in an 
attempt to bring an awareness to both the user and the corporate IT manager as to where the 
security vulnerabilities lie and what can be done to improve security. Many of the vulnerabilities 
can be alleviated easily by implementing policies for users and adding security layers to the pipe.  

To put the subject of wireless security into context, the paper is organized as follows: First, 
securing wireless systems in general is discussed, then securing each point along the access pipe 
is discussed. 

A significant part of wireless network security overlaps with security designed for wired 
networks. This is particularly so where firewalls, virtual private networks, and corporate servers 
are concerned. Please see the Compaq Technical Guide titled “Safe Computing and E-Business:  
Protecting the Enterprise to Assure E-Business Success” 
(

http://activeanswers.compaq.com/ActiveAnswers/Render/1,1027,1317-6-100-225-1,00.html

 

February, 2000) for important detail on best practices and established technologies for managing 
corporate network security. 

For complete wireless and mobile security solutions, please contact Compaq Global Services at 

http://www.compaq.com/services/index_infrastructure.html

Security in General 

It is important to realize from the outset that no single measure may be adequate to address 
security in wirelessly enabled networks. Both wired and wireless security implementations must 
be constantly evaluated and improved as people find new ways to gain unauthorized access to 
sensitive data. To plan a security business model, key elements of security must be considered as 
each point of access is examined. 

                                                            

1

 Lee Gomes, "Often unguarded wireless networks can be eavesdroppers’ gold mine" (Wall Street Journal Online, April 27, 2001). 

2

 Gomes. 

Summary of Contents for Evo Desktop Series

Page 1: ... edge Market researcher Cahners In Stat estimates that 6 2 million wireless devices will be shipped worldwide this year 2001 and double that in two years This paper looks at the pieces of the pipe of access from the device to the corporate firewall in an attempt to bring an awareness to both the user and the corporate IT manager as to where the security vulnerabilities lie and what can be done to ...

Page 2: ...ional warranty This publication does not constitute an endorsement of the product or products that were tested The configuration or configurations tested or described may or may not be the only available solution This test is not a determination of product quality or correctness nor does it ensure compliance with any federal state or local requirements Compaq the Compaq logo Deskpro and Evo are tr...

Page 3: ...e corporate firewall in an attempt to bring an awareness to both the user and the corporate IT manager as to where the security vulnerabilities lie and what can be done to improve security Many of the vulnerabilities can be alleviated easily by implementing policies for users and adding security layers to the pipe To put the subject of wireless security into context the paper is organized as follo...

Page 4: ...se while making sure it cannot be abused or used to hide criminal activity These essential elements should be the result of any combination of security implementations from the device across the pipe to the corporate firewall and servers The next section describes aspects of securing the pipe the security issues that may arise with wireless networks at critical junctures along the pipe and measure...

Page 5: ...red in planning security models Each element of the pipe along with the security problems and solutions associated with it is discussed in the next five subsections Device Security Despite the growing popularity of handheld PCs PDAs and cellular telephones the truly ubiquitous mobile computing device in the United States is still the notebook computer in Europe it is the mobile telephone Notebook ...

Page 6: ...bile devices employing a cellular service are used more frequently in public places hotel lobbies airplanes and the like than desktop devices which makes it harder to prevent strangers from peering over the shoulders of mobile device users If permitted to observe the user s computing activity for any period of time the curious stranger may be able to read and record or remember sensitive informati...

Page 7: ... passwords private keys digital certificates and cryptographic algorithms can be stored Simply keeping the smart card separate from the device in a wallet for example adds a level of security to the device in the event of theft Moreover a person attacking a smart card must not only possess the card but also have sophisticated tools and expertise There are two main types of smart cards contact and ...

Page 8: ...not the actual fingerprint is then encrypted and stored within the network The user places a registered finger on the reader attached to his or her PC in order to log on to the network The information is then extracted and compared to information on the computer If the comparison is a sufficient match the user is allowed to log in Where mobile devices are concerned Compaq FIT is currently availabl...

Page 9: ...3 Device Specific Firewalls Industry best practices dictate the use of a device mounted firewall when connecting to the Internet especially through a wireless VPN connection Software based firewalls are available from third party providers One such product is Black Ice available from Network ICE Corporation Notwithstanding the protection offered such firewalls are often not incorporated into the a...

Page 10: ...and wireless wide area networks WWANs facilitate this usage A brief description of these connectivity technologies follows and detailed papers that exist on each technology are referenced below The following three subsections comment briefly on the three types of wireless networks and provide an illustration of each type Wireless Local area Networks A wireless local area network WLAN is a type of ...

Page 11: ...ireless Wide area Networks Historically wireless wide area networks WWANs have been used to support voice transmission for mobile telephones WWANs use one of three digital wireless telephone technologies GSM CDMA and TDMA The Global System for Mobile communication GSM developed in Europe is the most widely used of the three digital wireless telephone technologies Code Division Multiple Access CDMA...

Page 12: ...ed with InfoWave Figure 4 illustrates a WWAN Figure 4 Wireless Wide area Network Whether it is a WLAN a WPAN or a WWAN a wireless network uses radio waves to transmit information Radio waves travel over an unshielded medium which is air Because all wireless networks operate on the same frequency and with the same equipment and because it is difficult to control how far radio waves travel hackers c...

Page 13: ...ravels by making it unreadable and thus unusable to casual or not so casual observers It is necessary at this juncture however to be clear that technologies used to secure one piece of the pipe may need to be deployed across multiple points in the pipe For example it may be necessary to load software on the device and on the server as well to better secure the connectivity channel Eavesdropping To...

Page 14: ...vate key The public key is distributed widely The private key is always kept secret Data encrypted with the public key can be decrypted only with the private key Conversely data encrypted with the private key can be decrypted only with the public key Most asymmetric encryption uses the RSA algorithm developed in 1977 by Rivest Shamir and Adleman or derivatives of that algorithm Figure 6 illustrate...

Page 15: ... can be used to encrypt sensitive information for the certificate holder The name of the Certification Authority CA that issued the certificate A serial number The validity period or lifetime of the certificate a start and end date When the issuing CA creates the certificate it digitally signs the information on the certificate The CA s signature on the certificate is like a tamper detection seal ...

Page 16: ...igital signature is through a Certification Authority CA A CA is usually a trusted third party able to verify that the private key used to generate the digital signature belongs to the signer and that the public key is indeed associated with the digitally signed document or message Figure 8 illustrates digital signatures In Figure 8 the original data is hashed using a one way algorithm The hash is...

Page 17: ...VPN must verify the user s identity and restrict VPN access to authorized users The VPN must also provide audit and accounting records to show who accessed what information and when Address Management The VPN must assign a client s address on the private network and assure that addresses are kept private Data Encryption The VPN must encrypt information transmitted on the public network Key Managem...

Page 18: ...performance of the computer it runs on because of the high CPU overhead associated with the encryption and decryption algorithms The greater speeds of new generations of processors will reduce the toll that IPSec takes on machine performance IPSec is especially well suited for implementing VPNs and for remote user access through dial up connection to private networks IPSec supports two encryption ...

Page 19: ...he subscriber identification key When the user makes a connection with a mobile base station a session key is negotiated and all transmissions both voice and data are encrypted GSM documents specify the rough functional characteristics of its protocols including the secure encryption of transmitted digital messages However apart from the protocols details of the algorithms are kept secret Most sec...

Page 20: ...S is based on Transport Layer Security TLS a security layer used on the Internet and equivalent to Secure Socket Layer SSL WTLS was developed to solve problems specific to mobile network devices including their limited processing power memory capacity and bandwidth WTLS is designed to provide adequate authentication data integrity and privacy protection WTLS offers three classes of authentication ...

Page 21: ...ristic is often called the WAP gap The newest ratified version of WAP is 2 0 June 2001 WAP 2 0 is radically different from previous versions and represents a strong flow of convergence with the IETF and W3C The WAP gateway is optional and WAP has now adopted the Internet standards TCP HTTP and TLS with wireless specific profiles Similarly WML is effectively a profile of XHTML Much work has been do...

Page 22: ...s Authentication proves the identity of the user Authorization determines what the user is allowed to do Encryption assures the privacy of transmissions Data Integrity assures that the information has not been altered Non Repudiation prohibits the user from denying the transmission after the fact Figure 11 illustrates the Infowave security flow Figure 11 Infowave Security Flow More detail on each ...

Page 23: ...s a DESX symmetric key pair on each client every time the client logs on This key pair is used to encrypt session traffic Data Integrity Infowave compresses encrypts and delivers data using its wireless protocol The Infowave server analyzes the data to determine the best compression algorithm The combination of encryption and compression ensures that data cannot be altered during transmission If d...

Page 24: ...WEP 6 will be remedied in IEEE extensions to the WEP specification that include 802 11i and 802 1x 802 1x can be included in any access point and will permit authentication to any authentication database EAP RADIUS server The 802 11i Security Subgroup is working to specify stronger encryption algorithms for future use in 802 11 networks Compaq is an active participant in this effort In the current...

Page 25: ... scenario sounds simple in principle Where it becomes slightly more complicated is in the actual authentication Conceptually it would be feasible to let the bridge perform the authentication using a cache of authentication information However that would be unnecessary overhead for the bridge and would mean that authentication information would need to be replicated to all bridges which is neither ...

Page 26: ...to wired LANs this is not feasible in a wireless environment It is much more difficult to monitor and enforce the air space around office buildings than the ports and wiring within them This vulnerability is currently addressed using Wired Equivalent Privacy WEP which is available on 802 11b Access Points If WEP is in use then all stations must configure a symmetric passphrase in order to connect ...

Page 27: ...s The fourth key juncture in the pipe after mobile access devices wireless connectivity technologies and access points centers on corporate firewalls A firewall is a set of related programs located at a network gateway server which protects the resources of a private network from users from other networks The term also implies that a security policy is used with the programs An enterprise with an ...

Page 28: ...and firewalls centers on the application and data servers that reside inside corporate firewalls The security vulnerabilities associated with using data servers desktops with hard drives containing data and application security are the same for wired and wireless access Therefore no attempt is made here to explore the security issues associated with internal data control It is important however to...

Page 29: ...lenge that wireless users have benefited from the security lessons learned from wired technologies in the 1990 s Whereas security around new technologies in the nineties traditionally arrived as an afterthought wireless users expect security to be built into the system from the beginning Products without security will not survive This paper has shown however that users of wireless networks are not...

Page 30: ... Enterprise to Assure E Business Success Compaq Technical Guide February 2000 MultiPort Bluetooth Communication Compaq White Paper March 2001 http www compaq com support techpubs whitepapers 14zn 0501a wwen html MultiPort Technology Overview Compaq White Paper March 2001 http www compaq com support techpubs whitepapers 14zm 0501a wwen html MultiPort Wireless Local Area Networking Compaq White Pape...

Reviews: