Home > Blogs > Mobile Devices: Access Control, Wireless Network Risks And Security Implementations (Part 3 of 5)

Mobile Devices: Access Control, Wireless Network Risks And Security Implementations (Part 3 of 5)

In order to prevent unauthorized access to the device and the data it contains, access control is necessary, of course, and you can identify users by means of passwords, tokens and so on. Mobile devices have wireless capability to connect to the Internet and office/home computer systems. Wireless capability poses a number of specific security risks in addition to typical network associated risks.

Even if Internet access is restricted to wired networks, there is another difference between desktops and mobile devices such as laptops. Desktop computers are always connected to the LAN on which their security settings can be managed and are protected from the Internet and other untrusted networks by firewalls. On the other hand, network administrators cannot be sure which networks laptop users will connect to. When at home or in hotels, a laptop user will connect directly to the Internet without any protection and the machine will be exposed to attackers scanning for vulnerable computers connected to the Internet. A user might also connect her/his laptop to the networks of her/his business partners, where confidential information can be exposed to anyone who succeeds in breaking into the laptop. Once the user connects her/his computer to such an untrusted network, a network administrator can do little to protect the machine from attacks that can be launched against it.

Man in the middle (MITM) attacks have two major forms: eavesdropping and manipulation. An eavesdropper can record and analyze the data that she/he is listening to, while a manipulation attack requires the attacker to have also the ability of retransmitting the data after changing it.

Illicit use of a wireless network involves an attacker using the network because of its connection to other networks. Attackers may use a network to connect to the Internet or to connect to a certain corporate network.

Similarly to what happens for wired networks, wireless networks can also be the target of "Denial of Service" (DoS) attack. DoS attacks, which aim to prevent access to network resources, can be devastating and difficult to protect against. Typical DoS attacks involve flooding the network with traffic choking the transmission lines and preventing other legitimate users from accessing services on the network. DoS attacks can target many different layers of the network. An introductory article on this subject is, for example,

    http://www.wi-fiplanet.com/tutorials/article.php/2200071 .

You can implement security for WLANs using features such as Internet Protocol Security (IPsec) and 802.11 security standards such as EAP and WEP.

"Internet Protocol Security" (IPsec) is a suite of protocols for securing Internet Protocol (IP) communications by authenticating and encrypting each IP packet of a data stream. IPsec operates at the Internet Layer of the Internet Protocol Suite and is officially specified by the Internet Engineering Task Force (IETF). You can begin reading the following article, for example, about how to apply IPSec to wireless networks:      http://www.onlamp.com/pub/a/bsd/2004/10/21/wifi_ipsec.html .

IEEE 802.11 is a family of protocols for wireless networks providing the basis for interoperability between equipment from different vendors, and IEEE 802.11i, in particular, deals with security. Here the subject of wireless security will be introduced but, as it is a wide subject, if you want to acquire a deeper knowledge of it you have to read some specific books. Wireless networks security is usually divided into three main parts: station security, access point security and gateway security.

The risk model of network security relies on the assumption that the physical layer is at least somewhat secure. Data in conventional networks travels across wired mediums. Coaxial cables, twisted pairs of copper wire and optical fibers have been the foundation for networks for many years. In order to view, interrupt, or manipulate the data being transmitted, wires and switching equipment have to be physically accessed or compromised. With wireless networking, there is no more physical security. The radio waves that make wireless networking possible are also what make wireless networking so dangerous. An attacker can be anywhere nearby listening to all the traffic from your network: in a yard, near a street or anywhere else.

In order to protect the data from eavesdroppers, various forms of data encryption have been used. The 802.11 MAC specification describes an encryption protocol called "Wired Equivalent Privacy" (WEP). WEP provides authentication and confidentiality using a shared key mechanism with a symmetric cipher called RC4. There are some problems with the WEP standard: it ignores the issue of key management (so that it is not suitable for WLANs as the number of users grows) and has some security weaknesses, so that it was first corrected and then deprecated by IEEE. Despite this, WEP is still widely in use: it is often the first security choice presented to users by router configuration tools even though it provides a level of security that protects your system more from  unintentional use than from deliberate compromise. The recommended solution to WEP security problems is to switch to WPA2 or, with older equipment, to the less resource intensive WPA.

WPA stands for "Wi-Fi Protected Access" and is a certification program created by the Wi-Fi Alliance to indicate compliance with the security protocol created by the Wi-Fi Alliance to secure wireless computer networks. The protocol implements the majority of the IEEE 802.11i standards.

"Extensible Authentication Protocol", or EAP, is a universal authentication framework frequently used in wireless networks and point to point connections. It is defined in RFC 3748, which has been updated by RFC 5247. Although the EAP protocol is not limited to wireless LANs and can be used for wired LAN authentication, it is most often used in wireless LANs. The WPA/WPA2 standard has officially adopted five EAP types as its official authentication mechanisms.

Being connected to the Internet, a firewall can be important for your mobile device. You can use commercial products like those offered by Symantec and Kaspersky or free products like those you find, typically, on Linux and BSD distributions.

In the cases it is feasible, some intrusion detection software can be used. Notice there is also a Snort project focused on wireless networks:


Part 3 of 5 extracted from an original article written by Shon Harris entitled:

Mobile Device Security

Read Part 1 - Mobile Devices - Definition And Security Issues
Read Part 2 - Mobile Devices - Security Implications And Countermeasures

Security is no longer just about hackers and technical issues. Security is now a business issue and you need professionals who understand both the technical and business worlds to develop the exact solutions your company needs. If you would like more information about consulting and training services, please visit Logical Security.

Become an InformIT Member

Take advantage of special member promotions, everyday discounts, quick access to saved content, and more! Join Today.