Computers

SECURITY OF WIRELESS COMMUNICATIONS

Introduction

Wireless devices, like all technologies that provide external access to corporate networks, present security challenges. With wireless standards and practices still rapidly evolving, it is important to understand the strengths and limitations of available technologies in order to implement a secure solution. Extending current security policies to encompass wireless devices requires an understanding of the security features of both wireless devices and wireless networks.

Purpose of the Study

The purpose of the study was to assist in the decision whether Lotus Development should extend current security policies to encompass wireless devices. The following are critical security questions:

* What challenges are faced with wireless security?

* How can you verify that the device being used is actually in the hands of an authorized user? How can you enhance the security of the device?

* How secure is the over-the-air network between the organization and the wireless device?

* How can you secure the wireless session?

* Should Lotus development include wireless devices in their security policies?

Research Methods and Procedures

Through traditional and electronic research of books, periodicals, and business journals, secondary research was conducted. Figures were constructed through extensive research and study of interactions of networks.

Wireless Security Challenges

Mobile devices and wireless networks rely on a broad spectrum of technology, much of it cutting-edge. In comparison to PCs, each class of mobile device currently represents a unique hardware and software platform. Mobile phones, for example, have varying capabilities and limitations both as computing devices and as client devices accessing corporate networks. The wireless networks that support mobile devices are similarly diverse.

By relying on industry standard protocols like TCP/IP, HTTP, SMTP and TAP, Mobile Services supports many of the major wireless networks currently in operation. This standards-based approach also provides MSD with a common security model that can operate across wireless networks, while at the same time taking some of the complexity out of doing business with different wireless network providers (Braden 1997).

However, it is important to understand that there is currently no industry-wide security standard that will work on every mobile device and on every wireless network, in the way that X.509 and SSL span the PC universe. MSD bridges this gap wherever possible by adding its own security features (Freeburg 1991).

Mobile Device Security

Most mobile devices currently provide only a simple username/password combination to block use of the device (a few also offer local data encryption). And since most users do not employ even this rudimentary level of security, mobile devices like pagers, mobile phones and PDAs are essentially unsecured (Aziz 1993).

Existing PC-based security mechanisms, such as client certificates, simply don't exist yet for wireless devices. The main reason is that wireless devices currently lack the computing power necessary to validate a certificate locally. Moreover, each wireless device has its own unique hardware, operating system services and integrated applications. These factors make it difficult to create a standard local security mechanism that can work across all wireless technologies.

Security, moreover, has only recently become a major concern of device vendors. This is because wireless devices have traditionally been targeted at individual users for access to their personal data, not corporate data. But as mobile device usage among corporate customers increases, improved security has become a paramount requirement. As vendors address this growing need, more and more security solutions and proposed standards will emerge (Aziz 1993).

Device Security Enhancements

MSD supports the full spectrum of wireless devices: from one-way alphanumeric pagers that can receive a simple message from the network; to the latest generation of Web-ready phones equipped with micro-browsers, from which users can access their Notes mail, calendar and corporate directory.

Because of the great diversity of device capabilities, as well as their inherent security limitations, MSD cannot provide security for data stored locally across every device. Instead, MSD provides security for corporate data inside the firewall, by securing it against unauthorized access by wireless devices.

In particular, MSD provides administrators with the ability to (Cohen 1991):

* Associate a specific, authorized user with each mobile device ("Trusted Devices").

* Specify what wireless networks can communicate with MSD ("Trusted IP Addresses").

Trusted Devices

MSD's Trusted Devices feature enables administrators both to know what employee is authorized to use each device, and to control the ability of each user or device to access MSD. For example, if an employee loses his or her mobile device, an administrator can immediately disable the use of that device with MSD, thus eliminating the risk that an impostor will access the network.

In addition to Trusted Devices, MSD offers a related security feature called Dynamic Device/User Mapping. It works like this: the first time a user successfully enters a valid HTTP username and password from a properly registered mobile device, a record is created in MSD's configuration database that maps the user's fully qualified username to a unique device ID (which is received from the device). By default, users can easily clear this record using their mobile devices, in order to share the device with someone else. However, administrators can choose to "lock" the first-time mapping between device ID and username, preventing anyone other than the original, authorized person from using the device (Banan 1999).

Trusted IP Addresses

MSD enables administrators to register the IP addresses of the gateways they use with MSD. Only HTTP requests from these IP addresses are permitted to use the MSD application. This effectively restricts the proxies that can access an organizational network (Perkins 1996).

Over-the-Air

...