center of excellence wireless and information technology cewit 2003 keys to secure your wireless...

Center of ExcellenceWireless and Information Technology

CEWIT 2003

Keys To Secure Your Wireless Enterprise

Toby WeissSVP, eTrust

Computer Associates International

CEWIT 2003


2

Agenda

• Overview of Wireless Networks• Security Issues• Keys to a Secure Wireless

Environment

CEWIT 2003


3

Wireless Networks Today

• WPAN (Wireless Personal Area Network)– Bluetooth

• WLAN (Wireless Local Area Network)– 802.11b, 802.11a,g,i,…

• WWAN (Wireless Wide Area Network)– Through wireless operators using GPRS,

CDMA, etc.

CEWIT 2003


4

Wireless Enterprises

WWAN

WLAN

Existing Infrastructure

CEWIT 2003


5

Wireless LANs

• Wireless ethernet• Wireless access point (AP)

connected to a desktop or server or an existing network

• Mobile devices with compatible network cards are required

CEWIT 2003


6

IEEE WLAN Specifications

Specification

Frequency

Throughput

Range (in meters)

802.11b 2.4 GHz 11 MB/sec 50 – 100

802.11a/h 5 GHz 54 MB/sec ~ 50

802.11g 2.4 GHz 54 MB/sec 50 – 100

CEWIT 2003


7

Hotspots

• Public Access WLANs• The ones you find at airports,

hotels, and other public places• On the rise, but still many issues to

deal with– Billing– Roaming– Security

CEWIT 2003


8

WWANs

• Service offered by wireless operators like Vodafone, NTT DoCoMo, Verizon Wireless, Cingular and others

• Data transfer over cellular networks

• Cover global geography• Use technologies like GPRS, CDMA,

and others

CEWIT 2003


9

What’s Available Today

• Most infrastructure is either 2G or 2.5G, not quite 3G yet

• 3G promises throughputs of:– ~384 Kbps for semi-stationary

devices– ~128 Kbps when in a car– ~ 2Mbps in fixed applications

CEWIT 2003


10

The #1 Barrier

• Security is the #1 issue for enterprises deploying wireless environments

CEWIT 2003


11

Network Security

• Integrate with existing infrastructure

• Rogue access points• Vulnerable WLANs

– Intrusions • Sniffing • Spoofing • Session hijacking • Man in the Middle

– Obstructions • Jamming • Denial-of-service

– War-driving, war-chalking

CEWIT 2003


12

Too Much Soup & Chips• Build-it-yourself Wi-Fi

antenna amplifiers a.k.a. “Cantennas”

• Pringles can (5 miles)• Campbell’s Soup can (7

miles)• Instructions available on

the Web

CEWIT 2003


13

Nothing Better To Do?

CEWIT 2003


14

WLAN Security

• WEP (Wired Equivalent Privacy) – Provides encryption based on RC-4 cipher

• WPA (Wi-Fi Protected Access)– Uses dynamic keys and advanced

encryption

• 802.1x– Provides authentication using EAP

(Extensible Authentication Protocol)

• 802.11i– Advanced encryption and authentication

CEWIT 2003


15

Wireless Encryption

802.11 (WEP)802.11 (WEP) RC4RC4 40 Bits40 Bits 0.7 Seconds0.7 Seconds

GSMGSM A5A5 56 Bits (NATO)56 Bits (NATO) 12 Hours12 Hours

Time To CrackKey LengthAlgorithmSystem

40 Bits (friendly)40 Bits (friendly) 0.7 Seconds0.7 Seconds

0 Bits (world)0 Bits (world) 00

CDMA OneCDMA One 96 Bits (US)96 Bits (US) 1.5 Billion Yrs1.5 Billion Yrs

32 Bits (world)32 Bits (world) 2.6 milliseconds2.6 milliseconds

OryxOryx

UMTSUMTS KasumiKasumi 128 Bits128 Bits 6.5 million 6.5 million trillion yearstrillion years

802.11 (TKIP802.11 (TKIPOr WPA)Or WPA)

RC4/KerberosRC4/Kerberos 128 Bits128 Bits 3 Seconds3 Seconds

Example Open Source Utilities: WEPCrack (Perl), Airsnort (Linux)

CEWIT 2003


16

Device Security

• Protection of mobile information

• Configuration control• Virus attacks• Recovering from the

effects of lost and stolen devices

CEWIT 2003


17

User Security

• Integrate mobile users into existing security policies

• Context-based access control

• Identity management• Authentication• Provisioning• Location-based security

CEWIT 2003


18

Security Best Practices• Get your wired security in order first• Take an enterprise-wide perspective• Define clear goals and security policies for

your wireless environment– Networks– Devices– Users

• Identify and audit the wireless users• Research the technology thoroughly and

choose what best meets your business objectives

• Partner with trusted business and technology advisors

CEWIT 2003


19

Basic WLAN security• Use WEP or AES for encryption• Maintain an updated MAC list• Do not broadcast the SSID• If you can, don’t use DHCP for wireless

devices• Use WPA so that the keys are

dynamically rotated• Use 802.1x to authenticate your users• Require WLAN users to log in through

VPN

CEWIT 2003


20

Take No Chances


CEWIT 2003

Keys To Secure Your Wireless Enterprise

Toby WeissSVP, eTrust

Computer Associates International

center of excellence wireless and information technology cewit 2003 keys to secure your wireless...

Documents