Wireless networking frees mobile workers from wires and cables, allowing them to collect and view data whenever, wherever they choose. The popularity of wireless networking is broad and continues to grow. The Gartner Group stated in an April 2005 study that by 2015, the average urban citizen in the United States and Europe will use at least six wireless networking technologies per day.
Wireless technology is a broad reaching term that can signify wireless local area, (WLAN or Wi Fi); wireless wide area (WWAN), such as CDMA or GRPS; Radio Frequency Identification (RFID); or personal area networking technologies such as Bluetooth. With these technologies, data can be transmitted anytime, from any location. However, with the physical freedoms inherent to wireless technology come new security concerns. Protecting a network was much more straightforward when wires limited its reach and network security was maintained by locking the doors or simply disconnecting.
In an effort to shore up against wireless security threats, some companies have taken the extreme approach of banning wireless technology from use. Maybe a good idea in theory, but today’s business environment requires the flexibility and speed that mobile communications offer. In many cases, it is simply too late to reject wireless technology as it is likely that employees already use it in the workplace – RFID keys, automatic entry systems, cell phones, and possibly even rogue access points – without corporate knowledge or approval. When real time data and communications are critical to success, the saying “time is money” takes on all new meaning. Many employees will pursue the benefits of wireless without the blessing of their corporate IT staff.
Companies that choose to implement wireless technology – and benefit from the freedoms that it brings – must consider three basic areas of security:
1. Device Security – Determines who can use the device (with passwords and biometrics), how data is stored on the device secured (to protect it in case of loss or theft) and protects the device from viruses and “Trojan horse” attacks.
2. Communication Security – Protects data as is travels through the air, usually employing encryption, profiles and data tunnels.
3. System Access and Authentication – Determines the users and network components that are allowed to access the corporate network and/or applications residing on the network.
This paper will address the above security options as they apply to the different radio technologies.
Authentication 101 – “Can I see some ID?”
To prevent rogue attacks at points of entry behind the corporate LAN firewall, network authentication – proving identity – should be enforced for all connectivity to the network. It is increasingly important to authenticate both users and devices that bear up-to-date security software before granting access to the network. This authorization check also should be done on users and devices connecting from outside the organization. There are three ways to prove a user’s identity.
What You Know – Passwords and Pass Phrases
Passwords are the most common authentication mechanism. Passwords should be composed from a large character set, contain a large number of characters, and are frequently changed to make them difficult to guess. However, since hard-to-guess passwords may be difficult to remember, users may take actions that weaken security, such as writing the passwords down.
Password systems must balance the password strength with the user’s ability to maintain the password as a shared secret. When the balancing produces a password that is not sufficiently strong for the application, a different authentication mechanism should be considered. Pass phrases can be considered; due to their length, pass phrases are generally more resistant to attack than passwords. The length, character set, and time before enforced change are important controls for pass phrases as well as passwords.
What You Have – Tokens and Smart Cards
For most organizations, authentication is still simply a user name and password. For some applications, this level of security is adequate. However, when companies try to increase security – requiring frequent password changes or a mix of numbers and characters or banning words found in common dictionaries – they often run up against the limits of human memory.
Users resort to writing passwords on Post-it notes or simply forget them, only to call in to the helpdesk. These calls cost, according to industry estimates, between $10 and $35 each. Passwords also are prone to theft when written down, and can be attacked through worms or keystroke-logging spyware. The need for another level of identity assurance is clear.
Alternatively, two-factor authentication adds something in the user’s possession – usually a hardware authentication token – to something he or she knows, such as a PIN. This route allows companies to move away from the burden of strong passwords and adds the security of a single-use PIN token.
The most widely used two-factor authentication tokens are small devices from companies such as RSA Security and Secure Computing. These devices generate numeric codes that are valid for a limited time or a single use. Some systems also require the user to type a “challenge string,” often a personal identification number, into the token before the passcode is generated.
The smart card, an intelligent token, is a credit card-sized plastic card embedded with an integrated circuit chip that provides both memory capacity and computational capability. Smart cards are self-contained and resistant to attack, making them ideal in applications that require strong protection and authentication. For example, smart cards can serve as both a keycard for entering a building and to authenticate network access, thus avoiding the headaches associated with super-strict password policies.
Secure authentication via a smart card requires the user to prove he or she possesses a secret (a digital certificate or token) without revealing that secret. In short, the system that the user is trying to access sends the smart card a random number. The card then initiates a transaction and sends the number back. This process allows the system to verify the user’s identity. Oftentimes, smart cards also require a PIN to allow the card to operate.
Smart cards supply tamper-proof storage of user and account identity, and they provide vital com¬ponents of system security to allow safe data exchange throughout virtually any type of network. The cards protect against a full range of security threats, from careless user password storage to sophisticated system hacks. Multifunction cards can also serve as network system access devices as well as storing valuable data.
In contrast with passwords – which can be learned and then used to access devices until the password is changed – the information for a smart card transaction is only used once. Digital certificates in the user’s computer add more security than a password, and tokens and smart cards verify that users have a physical item in their possession, however, devices and the smart cards inside them can be stolen. The strength of this method of authentication rests in the frequent changing of the password and the inability of an attacker to guess the password at any point in time. Many companies use a token that increases security by randomly generating a password.
What You Are – Biometrics
Although PIN numbers, lock combinations and passwords can help companies identify and verify personnel, the burden of remembering and storing them complicates everyday life for users. Alternatively, biometric technology allows companies to verify personnel effortlessly, all by scanning a unique physical attribute, such as a fingerprint or the iris, or a behavioral characteristic, such as the pattern of key depression strength and pauses made on a keyboard when a user types a phrase.
The characteristic or attribute is initially digitally stored in the company’s system and becomes the user’s “password” to gain access to a protected location or device. Each time a user needs to gain access the characteristic or attribute is scanned again and compared against the stored sample. If the two match within a given limit, access is granted.
The strength of biometrics is related to the uniqueness of the characteristic selected for verification. Biometric technologies assign data values to the particular characteristics associated with a certain feature. For example, the iris typically provides many more characteristics to store and compare, making it more unique than facial characteristics. Unlike other authentication mechanisms, a biometric authenticator does not rely on a user’s memory or possession of a token to be effective. Biometrics does not rely on people to keep a secret or physically secure information or a possession. It is the only authentication methodology with these advantages.
Although biometrics is not a new technology, modern advances in miniaturization, coupled with big reductions in cost, have made it readily available to the average consumer and busi¬ness owner. Biometrics queues are difficult to forge, but these systems can be fooled. Dynamic biometrics, such as handwritten signatures and voice recognition are the most secure.
Single Sign-On Protocols
Single-sign on protocols allow users to authenticate themselves once to obtain access to a range of services. With this method, users do not have to remember or possess multiple authentication mechanisms, which potentially allows for more complex authentication methods and fewer user-created weaknesses. Disadvantages of single sign-on protocols include the broad system authorizations potentially tied to any given successful authentication, the centralization of authenticators in the single sign-on server, and potential weaknesses in the single sign-on technologies.
Device Security – Protecting the Handheld Computer
Mobile devices are convenient to use away from the office, easy to carry, and just as easy to leave behind – on the subway, in a cab, at a restaurant. Handheld computers often carry valuable and sensitive data such as customer account information, order history, pricing, and product roadmaps, as well as critical access and network credentials. If a device is mobile and contains corporate data, users should be confident that the data on the device is safe even if it falls into the wrong hands. To ensure the protection of enterprise data, mobile computers that access the network must be secured at all times.
Device security should include:
• Device authentication – Controls who can access the device. Methods of authentication can include user names, tokens or passwords
• Data encryption – Protects the data stored in the device’s memory. If a thief pulls the memory card out, encryption ensures that they cannot read the data on it. One method of encryption involves loading a device destruction security application onto company devices. These programs destroy all data, software and file systems on the device when an incorrect pin is entered, thus protecting the data from theft
• File system encryption – Protects the registry files, or the device setup and configuration
Other Device Security Concerns
Personal firewall software – currently a popular security strategy for notebook and tablet computers – should also be used on all mobile devices with network connectivity. Even though many mobile devices do not stay connected to public networks, such as 802.11 hot spots or wireless WAN services from telecommunications carriers, they are susceptible to attacks via open communications ports and should be protected by a personal firewall.
Handheld devices also can act as carriers for viruses, passing infection to the application server and beyond – even if the device itself is not directly affected. Antivirus software, such as that from McAfee, is a reliable combatant to such infection. Additionally, the server or network should scan all data received from handhelds for viruses.