Free Newsletter
Register for our Free Newsletters
Access Control
Deutsche Zone (German Zone)
Education, Training and Professional Services
Government Programmes
Guarding, Equipment and Enforcement
Industrial Computing Security
IT Security
Physical Security
View All
Other Carouselweb publications
Carousel Web
Defense File
New Materials
Pro Health Zone
Pro Manufacturing Zone
Pro Security Zone
Web Lec

Security advice for mobile working over wireless LANs.

InfoSecurity Europe : 03 April, 2008  (Technical Article)
Juergen Hoenig of NCP Secure Communications examines the topic of running mobile computers over wireless hotspots whilst remaining secure.
The wireless, broadband internet access via hotspots is not only a comfortable opportunity for "surfers" but also for teleworkers. But what must the mobile user watch for when he would like to use a hotspot for access to the central company network? Certainly: Security technologies integrated into WLAN products offer insufficient protection here. What is necessary is a security solution that protects the teleworkers place in all phases of connection construction on hotspots - without risky, foreboding configurations and without the help of users or administrators. The article illuminates the effectiveness of VPN security mechanisms, data encryption, strong authentication and personal firewalls and shows how optimal protection can be achieved by dynamically integrating each of these technologies.

Each user can basically access public WLANs with correspondingly equipped terminals. They automatically obtain an IP address to the extent they recognize the SSID (service set identifier) of the WLAN, finding themselves within range of the access points and access permission onto the WLAN. Data security or protection of participating devices from attacks is not guaranteed by the WLAN operator.

Insofar as security is a theme for the hotspot operator, it is regarded as monitoring authorized network access in order to eliminate misuse of the server administration. User identification serves solely for the acquisition and the accounting of time online. However, how does it look regarding the protection of sensitive information during data transmission? How may the PC optimally seal itself off from attacks from the WLAN and the Internet? Because the actual security risk on the hotspot originates from having to register with the operator outside the protected area of a VPN, as a rule it has to take place by means of the browser. During this timeframe, the terminal device is unprotected. This stands in opposition to the company's security policy that prohibits direct surfing on the Internet and that only permits certain protocols.

Basically, VPN (virtual private network) mechanisms and data encryption serve to protect confidentiality. The corresponding security standards are: IPSec tunneling and AES encryption for data and X.509 v3 for access protection. Additional security mechanisms, such as certificates in a PKI (public key infrastructure) or onetime password tokens care for strong user authentication and complement/replace the usual user-ID and password. A personal firewall offers the required protective mechanisms against attacks from the Internet and from the public WLAN. Here, state-of-the-art is the standard "stateful packet inspection". If this is not provided, it is fundamentally inadvisable to use a hotspot for mobile computing.

For a VPN solution with separately installed firewall, the ports for http/https data traffic to the personal firewall must be activated during hotspot registration.

Fundamentally, this can take place in three different ways:.

1 The firewall rules for http/https are firmly preconfigured in order to guarantee the functionality with the desired hotspots.
2 The configuration allows that the ports are opened for http/https as needed for a certain time window (eg 2 minutes).
3 The user has administration rights and independently changes the firewall rules.

The security risk exists in all three cases that the user surfs outside of the secure VPN tunnel in the Internet and can capture destructive software such as viruses, worms or Trojans. By temporarily opening the firewall, the danger exists of deliberate misuse on the basis of multiple actuations of the time window by the user. If the personal firewall fundamentally permits no communication outside of the configuration, then the user has to activate the corresponding firewall rules for the duration of registration on the hotspot. This requirements-based opening of the personal firewall involves the greatest risk of mis-configurations. The user must know exactly which changes, in which environment, and at which place there are to be undertaken. Employee security awareness and technical know-how determine the security level quality.

A large security risk also exists where user data (user ID/password) are spied out externally on the hotspot during the registration process. An attacker simulates the hotspot with the aid of his notebook in which here simulates the WLAN SSIDs. If a user now registers on a hotspot, he does not land at the access point of the provider, but rather on the notebook of the hacker. By means of the previously mirrored access point web pages, the user still assumes that he is authenticated on the hotspot. In reality, he finds himself on the notebook of the hacker, who now possesses the registration data.

To be sure, the provider attempts to protect the hotspot registration pages through SSL processing (https). However, that does not always succeed, as the following scenario shows: For example, a user who arrives at a manipulated hotspot, obtains the following report from the browser: "A problem exists with the security certificate on the web site." In the background of this report, the attacker has only recreated the hotspot registration page and thereby does not use the original certificate. For the lay person, this is not recognizable at first glance, however a full-fledged user could eventually become suspicious. Nevertheless, it is incumbent to him alone to decide at this moment, whether he should trust this certificate. In order not to place a user in the position of making this decision, the hotspot registration should flow transparently before construction of the VPN. A solution that has proven itself in practice is the so-called registration script that takes over the transmission of registration at the hotspot as well as the inspection of the certificate.

The requirements for the functionality of a personal firewall with mobile computing on WLANs is multilayered. It also applies to the critical phases during the registration and sign-off process on the hotspot, i.e. they must know at the earliest possible time, i.e. to be active from system start and to remain when no VPN connection exists or has been deactivated. Furthermore, the user should be hindered from arbitrarily reconfiguring or completely shutting off the personal firewall.

The dilemma may resolve a VPN solution with a client-integrated personal firewall, such as is offered, for example, by NCP Engineering GmbH. The integrated variant has the advantage that a personal firewall and VPN client are functionally linked to one another. In a quasi-teamwork fashion, the existing firewall rule statements are dynamically activated in dependence on the network environment. Fundamentally, three situations may be differentiated: 1 Known networks, 2 Unknown networks and 3 VPN networks

Automatic recognition of the network takes place by validating different network factors. In "friendly networks", permissive firewall rules apply, such as in public, external environments such as the hotspot. The personal firewall must dispose over intelligent mechanisms that guarantee a secure activation of network access via the browser as well as a secure registration on the hotspot. The user chooses the menu point "hotspot registration" in the welcome area of a public WLAN. Subsequently, the VPN client automatically searches the hotspot and opens the web site for registration in a standard browser. For example, after successful entry of access data and activation by the operator, the VPN connection can connect to the company headquarters and communicate as securely as in an office work place.

Thereby, the PC is accessible in the WLAN in no time, there are ports dynamically assigned for http/https for registration and logging off the hotspot. During this time, only data traffic is possible with the operator's hotspot server. Unnecessary data packets are refused. In this way, it is guaranteed that a public WLAN can use the VPN connection at the central data network and no direct internet access can take place.

An additional important component of the implementation of company wide security directives for mobile computing on hotspots is central management of client software. With central security management, the administrator also fundamentally determines the client's firewall rules. It can enforce adherence in which the user allows no on-site possibility of an intended or unintended change. Additionally, further security-relevant parameters such as the status of virus protection programs, operating system patch status and software release of the VPN client must be inspected upon connection to the company network. Access to the productive network is only authorized after exclusion of all security risks.

Prerequisite for secure remote access in WLANs is end-to-end security, with dynamic security technology interlocking. State of the art is the use of a VPN client with an integrated, intelligent personal firewall and strong user authentication. The firewall rules must automatically adapt to the registering onto and logging off the hotspot, and are inspected within the framework of an integrated endpoint security with each connection. Only in this way can administrators and users rely, at all times, on sealing off terminal devices, data, and finally signing off the company network.

NCP Secure Communications is exhibiting at Infosecurity Europe 2008 on the 22nd - 24th April 2008 in the Grand Hall, Booth H201, Olympia
Bookmark and Share
Home I Editor's Blog I News by Zone I News by Date I News by Category I Special Reports I Directory I Events I Advertise I Submit Your News I About Us I Guides
   © 2012
Netgains Logo