Compaq Evo Desktop Series Скачать руководство пользователя страница 17 | Manualshive

Страница: 17 / 30

background image

Wireless Security White Paper

17

Virtual Private Networks

Virtual Private Networks (VPNs), also known as "tunnels" and commonly used over the Internet
for wired networks, can keep a wireless network hidden from prying eyes. Security experts
recommend that companies use an additional authentication system such as a VPN before
allowing data to cross from a wireless network to an intranet or other corporate system. VPNs
have the following characteristics:

•

User Authentication. The VPN must verify the user’s identity and restrict VPN access to
authorized users. The VPN must also provide audit and accounting records to show who
accessed what information and when.

•

Address Management. The VPN must assign a client’s address on the private network and
assure that addresses are kept private.

•

Data Encryption. The VPN must encrypt information transmitted on the public network.

•

Key Management. The VPN must generate and refresh encryption keys for the client and
server.

•

Multiprotocol Support. The VPN must handle common protocols used on the public network.

Figure 9 (next page) illustrates a VPN used in conjunction with firewalls.

Figure 9: Virtual Private Network (VPN)

«
...
15
16
17
18
19
...
»

Содержание Evo Desktop Series

Страница 1: ... edge Market researcher Cahners In Stat estimates that 6 2 million wireless devices will be shipped worldwide this year 2001 and double that in two years This paper looks at the pieces of the pipe of access from the device to the corporate firewall in an attempt to bring an awareness to both the user and the corporate IT manager as to where the security vulnerabilities lie and what can be done to ...

Страница 2: ...ional warranty This publication does not constitute an endorsement of the product or products that were tested The configuration or configurations tested or described may or may not be the only available solution This test is not a determination of product quality or correctness nor does it ensure compliance with any federal state or local requirements Compaq the Compaq logo Deskpro and Evo are tr...

Страница 3: ...e corporate firewall in an attempt to bring an awareness to both the user and the corporate IT manager as to where the security vulnerabilities lie and what can be done to improve security Many of the vulnerabilities can be alleviated easily by implementing policies for users and adding security layers to the pipe To put the subject of wireless security into context the paper is organized as follo...

Страница 4: ...se while making sure it cannot be abused or used to hide criminal activity These essential elements should be the result of any combination of security implementations from the device across the pipe to the corporate firewall and servers The next section describes aspects of securing the pipe the security issues that may arise with wireless networks at critical junctures along the pipe and measure...

Страница 5: ...red in planning security models Each element of the pipe along with the security problems and solutions associated with it is discussed in the next five subsections Device Security Despite the growing popularity of handheld PCs PDAs and cellular telephones the truly ubiquitous mobile computing device in the United States is still the notebook computer in Europe it is the mobile telephone Notebook ...

Страница 6: ...bile devices employing a cellular service are used more frequently in public places hotel lobbies airplanes and the like than desktop devices which makes it harder to prevent strangers from peering over the shoulders of mobile device users If permitted to observe the user s computing activity for any period of time the curious stranger may be able to read and record or remember sensitive informati...

Страница 7: ... passwords private keys digital certificates and cryptographic algorithms can be stored Simply keeping the smart card separate from the device in a wallet for example adds a level of security to the device in the event of theft Moreover a person attacking a smart card must not only possess the card but also have sophisticated tools and expertise There are two main types of smart cards contact and ...

Страница 8: ...not the actual fingerprint is then encrypted and stored within the network The user places a registered finger on the reader attached to his or her PC in order to log on to the network The information is then extracted and compared to information on the computer If the comparison is a sufficient match the user is allowed to log in Where mobile devices are concerned Compaq FIT is currently availabl...

Страница 9: ...3 Device Specific Firewalls Industry best practices dictate the use of a device mounted firewall when connecting to the Internet especially through a wireless VPN connection Software based firewalls are available from third party providers One such product is Black Ice available from Network ICE Corporation Notwithstanding the protection offered such firewalls are often not incorporated into the a...

Страница 10: ...and wireless wide area networks WWANs facilitate this usage A brief description of these connectivity technologies follows and detailed papers that exist on each technology are referenced below The following three subsections comment briefly on the three types of wireless networks and provide an illustration of each type Wireless Local area Networks A wireless local area network WLAN is a type of ...

Страница 11: ...ireless Wide area Networks Historically wireless wide area networks WWANs have been used to support voice transmission for mobile telephones WWANs use one of three digital wireless telephone technologies GSM CDMA and TDMA The Global System for Mobile communication GSM developed in Europe is the most widely used of the three digital wireless telephone technologies Code Division Multiple Access CDMA...

Страница 12: ...ed with InfoWave Figure 4 illustrates a WWAN Figure 4 Wireless Wide area Network Whether it is a WLAN a WPAN or a WWAN a wireless network uses radio waves to transmit information Radio waves travel over an unshielded medium which is air Because all wireless networks operate on the same frequency and with the same equipment and because it is difficult to control how far radio waves travel hackers c...

Страница 13: ...ravels by making it unreadable and thus unusable to casual or not so casual observers It is necessary at this juncture however to be clear that technologies used to secure one piece of the pipe may need to be deployed across multiple points in the pipe For example it may be necessary to load software on the device and on the server as well to better secure the connectivity channel Eavesdropping To...

Страница 14: ...vate key The public key is distributed widely The private key is always kept secret Data encrypted with the public key can be decrypted only with the private key Conversely data encrypted with the private key can be decrypted only with the public key Most asymmetric encryption uses the RSA algorithm developed in 1977 by Rivest Shamir and Adleman or derivatives of that algorithm Figure 6 illustrate...

Страница 15: ... can be used to encrypt sensitive information for the certificate holder The name of the Certification Authority CA that issued the certificate A serial number The validity period or lifetime of the certificate a start and end date When the issuing CA creates the certificate it digitally signs the information on the certificate The CA s signature on the certificate is like a tamper detection seal ...

Страница 16: ...igital signature is through a Certification Authority CA A CA is usually a trusted third party able to verify that the private key used to generate the digital signature belongs to the signer and that the public key is indeed associated with the digitally signed document or message Figure 8 illustrates digital signatures In Figure 8 the original data is hashed using a one way algorithm The hash is...

Страница 17: ...VPN must verify the user s identity and restrict VPN access to authorized users The VPN must also provide audit and accounting records to show who accessed what information and when Address Management The VPN must assign a client s address on the private network and assure that addresses are kept private Data Encryption The VPN must encrypt information transmitted on the public network Key Managem...

Страница 18: ...performance of the computer it runs on because of the high CPU overhead associated with the encryption and decryption algorithms The greater speeds of new generations of processors will reduce the toll that IPSec takes on machine performance IPSec is especially well suited for implementing VPNs and for remote user access through dial up connection to private networks IPSec supports two encryption ...

Страница 19: ...he subscriber identification key When the user makes a connection with a mobile base station a session key is negotiated and all transmissions both voice and data are encrypted GSM documents specify the rough functional characteristics of its protocols including the secure encryption of transmitted digital messages However apart from the protocols details of the algorithms are kept secret Most sec...

Страница 20: ...S is based on Transport Layer Security TLS a security layer used on the Internet and equivalent to Secure Socket Layer SSL WTLS was developed to solve problems specific to mobile network devices including their limited processing power memory capacity and bandwidth WTLS is designed to provide adequate authentication data integrity and privacy protection WTLS offers three classes of authentication ...

Страница 21: ...ristic is often called the WAP gap The newest ratified version of WAP is 2 0 June 2001 WAP 2 0 is radically different from previous versions and represents a strong flow of convergence with the IETF and W3C The WAP gateway is optional and WAP has now adopted the Internet standards TCP HTTP and TLS with wireless specific profiles Similarly WML is effectively a profile of XHTML Much work has been do...

Страница 22: ...s Authentication proves the identity of the user Authorization determines what the user is allowed to do Encryption assures the privacy of transmissions Data Integrity assures that the information has not been altered Non Repudiation prohibits the user from denying the transmission after the fact Figure 11 illustrates the Infowave security flow Figure 11 Infowave Security Flow More detail on each ...

Страница 23: ...s a DESX symmetric key pair on each client every time the client logs on This key pair is used to encrypt session traffic Data Integrity Infowave compresses encrypts and delivers data using its wireless protocol The Infowave server analyzes the data to determine the best compression algorithm The combination of encryption and compression ensures that data cannot be altered during transmission If d...

Страница 24: ...WEP 6 will be remedied in IEEE extensions to the WEP specification that include 802 11i and 802 1x 802 1x can be included in any access point and will permit authentication to any authentication database EAP RADIUS server The 802 11i Security Subgroup is working to specify stronger encryption algorithms for future use in 802 11 networks Compaq is an active participant in this effort In the current...

Страница 25: ... scenario sounds simple in principle Where it becomes slightly more complicated is in the actual authentication Conceptually it would be feasible to let the bridge perform the authentication using a cache of authentication information However that would be unnecessary overhead for the bridge and would mean that authentication information would need to be replicated to all bridges which is neither ...

Страница 26: ...to wired LANs this is not feasible in a wireless environment It is much more difficult to monitor and enforce the air space around office buildings than the ports and wiring within them This vulnerability is currently addressed using Wired Equivalent Privacy WEP which is available on 802 11b Access Points If WEP is in use then all stations must configure a symmetric passphrase in order to connect ...

Страница 27: ...s The fourth key juncture in the pipe after mobile access devices wireless connectivity technologies and access points centers on corporate firewalls A firewall is a set of related programs located at a network gateway server which protects the resources of a private network from users from other networks The term also implies that a security policy is used with the programs An enterprise with an ...

Страница 28: ...and firewalls centers on the application and data servers that reside inside corporate firewalls The security vulnerabilities associated with using data servers desktops with hard drives containing data and application security are the same for wired and wireless access Therefore no attempt is made here to explore the security issues associated with internal data control It is important however to...

Страница 29: ...lenge that wireless users have benefited from the security lessons learned from wired technologies in the 1990 s Whereas security around new technologies in the nineties traditionally arrived as an afterthought wireless users expect security to be built into the system from the beginning Products without security will not survive This paper has shown however that users of wireless networks are not...

Страница 30: ... Enterprise to Assure E Business Success Compaq Technical Guide February 2000 MultiPort Bluetooth Communication Compaq White Paper March 2001 http www compaq com support techpubs whitepapers 14zn 0501a wwen html MultiPort Technology Overview Compaq White Paper March 2001 http www compaq com support techpubs whitepapers 14zm 0501a wwen html MultiPort Wireless Local Area Networking Compaq White Pape...

Отзывы:

Нет отзывов

Похожие инструкции для Evo Desktop Series

Бренд: IBM Страницы: 500

FLEX-BX100-ULT5

Бренд: IEI Technology Страницы: 121

Adjustable Height Workstation

Бренд: Rockler Страницы: 8

Бренд: MiTAC Страницы: 246

Бренд: Omnitronic Страницы: 56

Toughbook CF-W8EWRZZAM

Бренд: Panasonic Страницы: 2

Toughbook CF-W8EWEZZAM

Бренд: Panasonic Страницы: 2

Toughbook CF-T8EWATZJM

Бренд: Panasonic Страницы: 2

Бренд: Panasonic Страницы: 36

Toughpad FZ-M1CCAAXBM

Бренд: Panasonic Страницы: 68

Бренд: Panasonic Страницы: 36

Бренд: Panasonic Страницы: 32

Бренд: Panasonic Страницы: 56

Бренд: Panasonic Страницы: 48

Бренд: Panasonic Страницы: 52

Бренд: Panasonic Страницы: 67

CF- - Toughbook 29 - Pentium M 1.6 GHz

Бренд: Panasonic Страницы: 80

Бренд: Panasonic Страницы: 159

Бренды по названию

0 1 2 3 4 5 6 7 8 9 A B C D E F G H I J K L M N O P Q R S T U V W X Y Z

Популярные бренды

Загрузить еще бренды