Manual Compaq Ipaq 3630 wireless security (page 26 of 30) (English)

35484

Zoom out

Zoom in

1/30

White Paper

December 2001

Prepared by:

Access Business Group

Compaq Computer Corporation

Contents

Introduction................................. 3

Security in General..................... 3

Essential Elements of

Security..................................... 4

Security and the Pipe ................. 4

Device Security......................... 5

Connectivity Technologies ........ 9

Access Points.......................... 24

Corporate Firewalls................. 27

Application and Data Servers.. 28

Conclusion................................ 29

Bibliography.............................. 30

Wireless Security

Abstract: People and corporations are using wireless technologies

at astonishing rates to take advantage of the benefits of wireless-

enabled productivity to gain and maintain a competitive edge.

Market researcher Cahners In-Stat estimates that 6.2 million wireless

devices will be shipped worldwide this year (2001), and double that

in two years.

This paper looks at the pieces of the “pipe” of access from the device

to the corporate firewall in an attempt to bring an awareness to both

the user and the corporate IT manager as to where the security

vulnerabilities lie and what can be done to improve security. Many

of the vulnerabilities can be alleviated easily by implementing

policies for users and adding security layers to the pipe. To put the

subject of wireless security into context, the paper is organized as

follows: First, securing wireless systems in general is discussed, then

securing each point along the access pipe is discussed.

Wireless Security White Paper 2

Notice

The information in this publication is subject to change without notice and is provided “AS IS” WITHOUT

WARRANTY OF ANY KIND. THE ENTIRE RISK ARISING OUT OF THE USE OF THIS

INFORMATION REMAINS WITH RECIPIENT. IN NO EVENT SHALL COMPAQ BE LIABLE FOR

ANY DIRECT, CONSEQUENTIAL, INCIDENTAL, SPECIAL, PUNITIVE, OR OTHER DAMAGES

WHATSOEVER (INCLUDING, WITHOUT LIMITATION, DAMAGES FOR LOSS OF BUSINESS

PROFITS, BUSINESS INTERRUPTION, OR LOSS OF BUSINESS INFORMATION), EVEN IF

COMPAQ HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.

The limited warranties for Compaq products are exclusively set forth in the documentation accompanying

such products. Nothing herein should be construed as constituting a further or additional warranty.

This publication does not constitute an endorsement of the product or products that were tested. The

configuration or configurations tested or described may or may not be the only available solution. This test

is not a determination of product quality or correctness, nor does it ensure compliance with any federal,

state or local requirements.

Compaq, the Compaq logo, Deskpro, and Evo are trademarks of Compaq Information Technologies Group,

L.P. in the U.S. and/or other countries.

Intel, Pentium, and Celeron are trademarks of Intel Corporation in the U.S. and/or other countries.

Microsoft and Windows are trademarks of Microsoft Corporation in the U.S. and/or other countries.

All other product names mentioned herein may be trademarks of their respective companies.

Wireless Security

White Paper prepared by Access Business Group

First Edition (December 2001)

Document Number 161Z-1201A-WWEN

Wireless Security White Paper 3

Introduction

Wireless networks connect computers in offices or homes to other computers, or to devices such

as printers, by using radio or infrared signals instead of cables and jacks. Since wireless networks

dispense with cables, users connected to wireless computer networks (or wirelessly connected to

computer networks) can roam around with the machines they use to gain access to such networks.

This ability to function in "untethered" mode is a great convenience.

Users and corporations are using wireless technologies at astonishing rates to take advantage of

the benefits of wireless-enabled productivity to gain and maintain a competitive edge. Market

researcher Cahners In-Stat estimates that 6.2 million wireless devices will be shipped worldwide

this year (2001), and double that in two years.

The pervasiveness of sending and receiving data via wireless networks to the Internet and

corporate intranets has presented users of access devices and corporations with new concerns

about vulnerability to security breaches. Wireless access technologies have been called "one of

the newest and potentially most dangerous security holes in U.S. business."

Experts estimate that

most of the wireless networks in operation today have no security whatsoever. This is so in part

because many users are not aware of specific security vulnerabilities or don’t understand the

magnitude of potential loss and, therefore, do not put the appropriate measures in place. This

paper will look at the pieces of the “pipe” of access from the device to the corporate firewall in an

attempt to bring an awareness to both the user and the corporate IT manager as to where the

security vulnerabilities lie and what can be done to improve security. Many of the vulnerabilities

can be alleviated easily by implementing policies for users and adding security layers to the pipe.

To put the subject of wireless security into context, the paper is organized as follows: First,

securing wireless systems in general is discussed, then securing each point along the access pipe

is discussed.

A significant part of wireless network security overlaps with security designed for wired

networks. This is particularly so where firewalls, virtual private networks, and corporate servers

are concerned. Please see the Compaq Technical Guide titled “Safe Computing and E-Business:

Protecting the Enterprise to Assure E-Business Success”

(http://activeanswers.compaq.com/ActiveAnswers/Render/1,1027,1317-6-100-225-1,00.html

February, 2000) for important detail on best practices and established technologies for managing

corporate network security.

For complete wireless and mobile security solutions, please contact Compaq Global Services at

http://www.compaq.com/services/index_infrastructure.html

Security in General

It is important to realize from the outset that no single measure may be adequate to address

security in wirelessly enabled networks. Both wired and wireless security implementations must

be constantly evaluated and improved as people find new ways to gain unauthorized access to

sensitive data. To plan a security business model, key elements of security must be considered as

each point of access is examined.

Lee Gomes, "Often unguarded wireless networks can be eavesdroppers’ gold mine" (Wall Street Journal Online, April 27, 2001).

Gomes.

Wireless Security White Paper 4

Essential Elements of Security

The essential elements of security as it applies to wireless networks are:

• Privacy — assuring that only people who have permission to do so can view information and

transactions. Privacy is preserved through a process that authorizes identified persons to see

protected information and engage in transactions. Encryption is an important tool for

preserving privacy.

• Authentication — the process of verifying that the parties to an electronic transaction, as well

as persons seeking access to digital information, are who they say they are. Authentication

verifies identity and is supported by digital signatures.

• Integrity — a process by which a security system seeks to preserve stored information and

information that circulates in messages. Assuring that such information remains intact and

unchanged (except by authorized parties) preserves its integrity.

• Non-repudiation -- a process that proves an entity took a course of action, and only that entity

could have taken the course of action. This quality makes electronic transactions legally

binding. Non-repudiation is supported by digital signatures and trusted timestamps.

• System Management -- all security technology must be managed. This means setting it up to

be easy to use, while making sure it cannot be abused or used to hide criminal activity.

These essential elements should be the result of any combination of security implementations

from the device across the “pipe” to the corporate firewall and servers.

The next section describes aspects of securing the “pipe”, the security issues that may arise with

wireless networks at critical junctures along the pipe, and measures that can be taken to address

those issues.

Security and the Pipe

A pipe is a conduit through which something flows. A wireless mobile business solution should

include an end-to end security model for enabling secure data access by creating a secure pipe

from the mobile user’s access device (the client) across various networks (air, broadband, dial-up)

to the point where access is gained to the corporate network. From here the pipe leads through the

corporate firewall to corporate applications. The end-to-end security model should also provide

management mechanisms for performance and security.

Key elements of the pipe are the following:

1. Security at the mobile access device level or client (Device Security)

2. Security in wireless connectivity technologies (Connectivity Technologies)

– WLAN, WPAN, WWAN, broadband, dial-up, RAS

3. Security at the point of access to the wired transmission path (Access Point)

– WLAN hubs, telecommunications companies

4. Security at the corporate firewall and servers (Corporate Access)

5. Security of the corporate data inside the firewall (Corporate Data)

Wireless Security White Paper 5

– (This aspect of security is not covered in this paper, since securing data from

unauthorized access behind the firewall is not a wireless security concern, but a wired

one.)

Figure 1 illustrates the pipe.

Figure 1: The Network Pipe

The vertical yellow lines in Figure 1 represent the pivotal points of data transfer. The horizontal

lines represent data traveling from one place to the next either wired or wirelessly. The entire pipe

must be considered in planning security models. Each element of the pipe, along with the security

problems and solutions associated with it, is discussed in the next five subsections.

Device Security

Despite the growing popularity of handheld PCs, PDAs, and cellular telephones, the truly

ubiquitous mobile computing device in the United States is still the notebook computer (in

Europe it is the mobile telephone). Notebook computers are used for online connectivity, Internet

surfing, organization of information such as contact lists and tasks, storage of vast amounts of

data, hosting of numerous client applications, and creation of primary content such as documents,

e-mail messages, and spreadsheets.

Wireless Security White Paper 6

Moreover, workers are using notebook computers more and more as desktop machines while in

the office, then taking them home at the end of the day to continue working. Because of their

usefulness, companies deploy millions of notebook computers to their employees. Companies

treat the devices as critical resources by defining usage and security policies and by instituting

measures to protect the hardware and the data that the devices hold. For information on Compaq

notebook computers, see http://www.compaq.com/showroom/notebooks.html

Mobile devices such as handheld computers, PDAs, and cellular telephones have traditionally

been used for a subset of the tasks that notebook computers address. However, handheld

computers and PDAs are beginning to be used by workers who are on the road or present in client

offices to access many types of applications in real time. For information on Compaq handheld

devices, see http://www.compaq.com/showroom/handhelds.html

Device security concerns increase significantly where handheld mobile devices are concerned,

because they are often owned and managed by individuals, as opposed to the companies they

work for. Most companies, therefore, do not have in place the usage and security policies

appropriate for such devices. The difficulty in managing individually owned handheld mobile

devices and their rate of propagation causes them to pose a unique security threat.

The following subsections describe security problems specific to mobile access devices, the first

link in the pipe on the client side, and possible solutions to those problems.

Usage in Public

Mobile devices employing a cellular service are used more frequently in public places (hotel

lobbies, airplanes, and the like) than desktop devices, which makes it harder to prevent strangers

from peering over the shoulders of mobile device users. If permitted to observe the user’s

computing activity for any period of time, the curious stranger may be able to read and record (or

remember) sensitive information. This violates the security tenet of privacy.

The exposure to prying eyes that mobile devices incur has no technological solution. The only

way for users to minimize this exposure is to exercise vigilance and common sense. Being

selective in where and when they use their devices and reasonably alert in monitoring their

surroundings are precautions that mobile device users can and should take. The smaller screens of

handheld devices reduce this type of security risk.

Loss and Theft

Mobile access devices are more susceptible to loss and theft than larger stationary devices. If a

device is lost or stolen, unauthorized persons may view confidential information stored on the

device. They may also use the device to gain access to public and private networks in order to

tamper with or steal information. The security tenets of privacy, authentication, and integrity are

all potentially breached in such a situation.

Vulnerability to Hacking

Connecting to the Internet or to corporate networks by radio waves leaves data vulnerable to

hacking because of the open-to-all nature of the transmission medium (air). Minimizing

vulnerability to hackers can be accomplished when both access devices and portals themselves

are protected by their own firewalls. Often firewalls are not installed due to the small storage size

of some handheld access devices, and lack of enforcement of security and usage polices relating

to such devices.

Wireless Security White Paper 7

Available Device-specific Security Measures

Many security measures are available for mobile access devices. Some of these are outlined in the

subsections below. For various reasons they are often not fully implemented.

Passwords

Mobile devices, especially handhelds, have small user interfaces and keypads, leading many users

to choose simpler passwords. For example, keypads that associate multiple letters with each key

require repeated presses to type certain letters. Users often choose passwords that use the first

letter typed by a given key. This practice substantially reduces the number of possible passwords.

Also, mobile device users often cache their passwords on the devices in order to automate

connections to servers.

A further consideration is whether or not to permit single sign-on from the mobile device. While

doing so is more convenient given the cumbersome nature of password entry on mobile devices,

it raises the level of risk that intruders may penetrate the network.

The straightforward solution is to endure the trade-off in convenience and make password

protection more robust by avoiding weak passwords, refraining from password caching, and

avoiding single sign-on.

Smart Cards

Smart cards offer a partial solution to the problem of securing data transmissions to and from

mobile devices. The smart card is a tamper-resistant piece of hardware on which passwords,

private keys, digital certificates, and cryptographic algorithms can be stored. Simply keeping the

smart card separate from the device, in a wallet for example, adds a level of security to the device

in the event of theft. Moreover, a person attacking a smart card must not only possess the card but

also have sophisticated tools and expertise.

There are two main types of smart cards: contact and contactless. The contact smart card consists

of a plastic card with gold-plated contacts embedded in the plastic. These contacts are connected

to an integrated circuit sandwiched between layers of plastic inside the card. The contactless

smart card typically connects to the smart card reader through an internal antenna.

Smart cards are easy to use, and the newer, more complex ones offer relatively strong encryption.

A smart card is most effective when paired with a personal identification number (PIN). Whereas

a stolen smart card can be used just like a stolen password, the association with a PIN presents

thieves with a further barrier to obtaining access to a wireless network, even with the card.

Smart card readers offer different levels of security. The basic smart card reader reads the smart

card in conjunction with a PIN. The enhanced smart card reader also reads the card in conjunction

with a PIN, but in addition does not allow the PIN back out to the serial port, thus preventing PIN

information from being intercepted via the serial port. The enhanced reader typically can perform

its own protocol and cryptological processing, unlike smart cards that do not perform such

processing themselves.

Wireless Security White Paper 8

A concern with smart cards (and certain other encryption devices) is their vulnerability to power

analysis attacks if they fall into the wrong hands. Such attacks involve device power

measurements and their analysis while the smart card is in operation. Mathematical analysis of

the differences in power consumption during different operations of the smart card can make

possible the decryption of the smart card’s information. Other types of attacks include replay and

micro-probing. Such vulnerability notwithstanding, smart cards are an important tool in

improving authentication on mobile devices, making them less likely to be misused if they fall

into the hands of strangers.

Biometric Technologies

Biometric devices use physical traits such as fingerprint, iris, face, and voice to identify an

individual. Fingerprints are an accurate trait to use for computer-based identification, and

solutions developed for fingerprints are currently the most cost-effective and easy to use.

Compaq partners with Identix, a leader in biometric identification technology, to produce

Compaq Fingerprint Identification Technology (FIT) for the commercial market. A tiny camera

in the Fingerprint Identification Reader captures an image of the fingerprint of a device's

legitimate user. The information then goes through some complex algorithms to convert the

image into a unique "map" of minutiae points (unique data points that describe the fingerprint).

This map of minutiae points (not the actual fingerprint) is then encrypted and stored within the

network. The user places a registered finger on the reader attached to his or her PC in order to log

on to the network. The information is then extracted and compared to information on the

computer. If the comparison is a sufficient match, the user is allowed to log in.

Where mobile devices are concerned, Compaq FIT is currently available only for Compaq

Armada and Evo notebook computers. For more information on Compaq FIT,

see http://www.compaq.com/products/notebooks/security.html

http://www.compaq.com/products/quickspecs/10103_div/10103_div.HTML

Multi-factor Authentication

Multi-factor authentication is one of the best ways to improve security at the device level.

Corporations sensitive to security breaches are moving quickly to at least two-factor

authentication – choosing two types of authentication as requirements for accessing data. Such

security requires the user to authenticate him one’s self in more than one way in order to improve

security. The means of authentication may include the following:

• Something the user knows (password)

• Something the user has (tokens -- smart card)

• Who the user is (biometrics -- fingerprint identification)

Requiring at least two types of authentication is dramatically more secure than requiring only

one.

File System Security

While desktop operating systems such as Windows 2000 offer an encrypted file system, this is

not yet common on mobile platforms. If the data on a mobile device is sensitive, it is worth

investigating security software that can encrypt such information. FileCrypto for PocketPC from

F-Secure Corporation of Helsinki, Finland provides such encryption for mobile devices.

Wireless Security White Paper 9

Key features of F-Secure FileCrypto for PocketPC are the following:

• Encrypts documents in selected folders on the fly

• Strong real-time encryption with 128-bit Blowfish

• Allows creation of user-specified encrypted folders

• Supports removable media

• Automatic installation through a host PC to the PDA device at next ActiveSync

• Minimum length and character set of pass-phrase can be defined

• ActiveSync protected by the same pass-phrase

• Automatic encryption at power-off

• Key recovery ensures that corporate data is not lost if the pass-phrase is forgotten

Compaq iPAQ Pocket PC’s ship with F-Secure today. For more information on F-Secure

products see http://www.fsecure.com

SecurID

SecurID is a two-factor authentication technique that combines a user's PIN with the operations of

an external authenticator device to produce a secure user login. The SecurID external

authenticator may be implemented as a key fob, smart card, or software token. It generates a

unique code every sixty seconds in strict synchronicity with the server. The user's login password

combines the SecurID code with his or her PIN.

RSA Security did not develop a Pocket PC client, but instead incorporated SecurID into the

EZOS WAP micro-browser called EzWAP.

Device-Specific Firewalls

Industry best practices dictate the use of a device-mounted firewall when connecting to the

Internet, especially through a wireless VPN connection. Software-based firewalls are available

from third-party providers. One such product is Black Ice, available from Network ICE

Corporation. Notwithstanding the protection offered, such firewalls are often not incorporated

into the access device; either because of the small hard drives of handheld devices or through lack

of a corporate security policy (or enforcement of same) requiring such use.

Connectivity Technologies

The second key juncture in the pipe, after wireless access devices, is a range of wireless

connectivity technologies. These technologies provide the infrastructure, standards, and protocols

that permit information to travel wirelessly between mobile clients and the wired lines that

provide access to corporate servers. Different connection technologies are used at different times,

depending on the availability and efficiency of each connection type at any given time.

• Internal users use a wireless connection at work to stay connected while they roam. For

example, they can send and receive e-mail while attending meetings in conference rooms.

Generally, wireless local area networks (WLANs) will facilitate this usage.

EzWAP 2.0 is a platform-independent WAP micro-browser enabling a variety of computing systems…to access the mobile Internet

environment. ( http://www.ezos.com

)

Wireless Security White Paper 10

• Individual users can connect between various personal devices wherever they are, such as

from a cell phone to a handheld to a desktop computer without cables to synchronize data or

gain access to a wireless connection. Wireless personal area networks (WPANs) facilitate

such connections between devices.

• External users increasingly want corporate connectivity anywhere at any time. For example,

they can send and receive e-mail, access corporate data, the Internet and intranets, while

sitting in airport lounges, traveling in a cab or sitting in front of a customer. Wireless local

area networks (WLANs) and wireless wide area networks (WWANs) facilitate this usage.

A brief description of these connectivity technologies follows and detailed papers that exist on

each technology are referenced below. The following three subsections comment briefly on the

three types of wireless networks and provide an illustration of each type.

Wireless Local-area Networks

A wireless local-area network (WLAN) is a type of LAN that uses high-frequency radio waves

rather than wires to transmit data among its nodes. It is a flexible data communication system

implemented as an extension or alternative to a wired LAN within a building or campus. Users of

a WLAN can enjoy connectivity to the network without having to plug cables into Ethernet jacks

in every office and conference room.

Figure 2 illustrates a WLAN.

Figure 2: Wireless Local-area Network

Wireless Security White Paper 26

• For security reasons, the authentication information must be cryptologically secure. This

implies that the Authenticator cannot decrypt the credentials.

• The model must be extensible to new authentication mechanisms as they are invented and

implemented.

In order to ensure that the Authenticator can always identify and interpret new authentication

mechanisms, any authentication types must be encapsulated using the Extensible Authentication

Protocol (EAP) as specified in RFC 2284. EAP already supports multiple authentication schemes

including smart cards, Kerberos, Public Key Encryptions, and One Time Passwords. Many others

can be added.

The biggest security consideration of 802.1x is that its sole purpose is authentication. It does not

provide integrity, encryption, replay protection or non-repudiation. These would need to be

implemented with complementary schemes such as IPSec.

There are also other points of vulnerability that must be addressed in any implementation of

802.1x:

• Piggybacking on an authenticated port – Multiple end stations on a port must be detected and

disconnected

• Interception of credentials – Passwords must always be encrypted

• Subversion of authentication negotiation – It should not be possible to provoke a lesser form

of authentication by interfering with the authentication process

802.11b WLANs are ideal candidates for 802.1x authentication since they represent a completely

uncontrolled periphery. While it is possible to restrict physical access to wired LANs, this is not

feasible in a wireless environment. It is much more difficult to monitor and enforce the air space

around office buildings than the ports and wiring within them.

This vulnerability is currently addressed using Wired Equivalent Privacy (WEP), which is

available on 802.11b Access Points. If WEP is in use, then all stations must configure a

symmetric passphrase in order to connect. All transmission is then encrypted with 40-128 bit

encryption.

Recently, there have been alleged cryptological weaknesses with the WEP algorithms that have

cast a shadow on its use. Beyond these there is a fundamental problem with key distribution and

update. Since WEP keys are typically symmetrical (the same on the Access Point and all

connecting stations) they must be changed in unison. Clearly this is difficult to orchestrate when

large user populations are involved.

There have been solutions, including automating regular key changes, for example, using logon

scripts; however, they are non-standard and require additional work. There are also problems

ensuring that employees who leave the company no longer have access to the network, since they

could “remember” their WEP key.

Another aspect of the problem arises when users connect to multiple different wireless LANs

(e.g. in public areas or at customer sites). Current WEP implementations require that the user

manually change the WEP key each time a new network is selected, which is tedious and

interferes with any automated key changes.

802.1x solves all of these problems. It is not necessary to distribute any keys. The user can

authenticate to a central Authentication server, which stores per-user credentials that can be

disabled or modified as needed.

Report abuse

Libble takes abuse of its services very seriously. We're committed to dealing with such abuse according to the laws in your country of residence. When you submit a report, we'll investigate it and take the appropriate action. We'll get back to you only if we require additional details or have more information to share.

Product:

Forumrules

To achieve meaningful questions, we apply the following rules:

First, read the manual;
Check if your question has been asked previously;
Try to ask your question as clearly as possible;
Did you already try to solve the problem? Please mention this;
Is your problem solved by a visitor then let him/her know in this forum;
To give a response to a question or answer, do not use this form but click on the button 'reply to this question';
Your question will be posted here and emailed to our subscribers. Therefore, avoid filling in personal details.

new questions and answers
new manuals

You will receive an email to register for one or both of the options.

Get your user manual by e-mail

Enter your email address to receive the manual of Compaq Ipaq 3630 wireless security in the language / languages: English as an attachment in your email.

The manual is 0,5 mb in size.

You will receive the manual in your email within minutes. If you have not received an email, then probably have entered the wrong email address or your mailbox is too full. In addition, it may be that your ISP may have a maximum size for emails to receive.

The manual is sent by email. Check your email

If you have not received an email with the manual within fifteen minutes, it may be that you have a entered a wrong email address or that your ISP has set a maximum size to receive email that is smaller than the size of the manual.

The email address you have provided is not correct.

Please check the email address and correct it.

Your question is posted on this page

Would you like to receive an email when new answers and questions are posted? Please enter your email address.

Info

Compaq Ipaq 3630 wireless security Manual

Product: