Securing Wireless Technology: Communication, Part II
By Intermec Technologies Corp.
Wednesday, 20 July 2005 14:58 EST
Wednesday, 20 July 2005 14:58 EST
The beauty of wireless communication is that it frees the user from the limited reach of wires or a dock. Mobile data systems pass information from mobile devices in remote locations to the enter¬prise data center via radio waves in “free space.” This area in the middle, between the device and host, is where the information is transported or communicated. This layer must be secured as well.
As there are no physical boundaries to prevent intruders from intercepting data in free space, wire¬less communication security must protect the packets of data being transmitted; ensuring that only those for whom they are intended can read them. This is accomplished through “secure tunnels.” Just as there are many ways to build physical tunnels, there is more than one way to create wireless tunnels. Here are the basic building blocks of creating a secure tunnel:
• User Authentication – Determining that the network users are who they claim to be.
Authentication allows access to users based on certain credentials, and verifies that a third
party has not altered data sent between two users
• Encryption – Encoding data before it is transmitted and delivering it in a way that can be quickly deciphered by the authenticated receiver. Encryption allows sensitive information to traverse a public network without compromising confidentiality
• Message Authentication – Proof that messages, encrypted or otherwise, have not been
tampered with or replayed (sent multiple times to cause havoc) between the sender and
• Access Control – Blocking unwanted user access to an internal network or service. This restricts the user to the tools that are designated only for them. Access control is typically achieved through authentication.
When it comes to wireless security, one size certainly does not fit all. The type of security deployed for WLANs can be very different from those designed for other wireless technologies such as GPRS, Bluetooth and RFID.
Companies securing wireless LANs primarily are concerned about data theft, such as potential intruders driving by the facility or in the parking lot, trying to pick up the company’s wireless signal and possibly gaining access to the network. “Man-in-the-middle” attacks -- where a thief captures data packets and routes them to other servers for his own purposes – are another mode of data theft. Recommended means for securing a WLANs include WPA, WPA2, virtual private networks (VPNs) or security gateways or firewalls.
WPA (Wi-Fi Protected Access)
WPA is a powerful, standards-based, interoperable security technology for 802.11-based, Wi-Fi networks. It provides strong data protection by using encryption as well as access controls and user authentication. WPA utilizes 128-bit encryption keys and dynamic session keys to ensure wireless network privacy and enterprise security.
WPA2 (Wi-Fi Protected Access 2)
WPA2 is the certified interoperable version of the full IEEE 802.11i specification, which was rati¬fied in June 2004. WPA2 supports 802.1x/EAP authentication and includes AES or Advanced Encryption Standard. It provides a very high level of assurance that only authorized users are accessing the WLAN network.
Virtual Private Networks (VPNs)
Most major corporations today use VPNs to protect remote-access workers and their connec¬tions. VPNs create a secure “tunnel” from the end-user’s computer, through the end-user’s ac¬cess point or gateway, on through the Internet and all the way to the corporation’s servers and systems. VPNs also can be implemented within local area wireless networks to protect transmis¬sions from WLAN-equipped computers to corporate servers and systems.
Most corporate IT departments are already skilled with VPN technology and can modify exist¬ing systems to support WLAN networks. A VPN works through a designated VPN server at the company headquarters and creates an encryption scheme for data transferred to computers outside the corporate offices. VPN software on the remote computer uses the same encryption scheme, enabling the data to safely be transferred back and forth with no chance of intercep¬tion. The wireless market currently is split between the two distinct types of VPNs -- IPSec (IP security) and SSL (Secure Sockets Layer) technologies.
Enterprises can further control access of mobile devices to various back-end resources, such as SAP, ERP databases and financial records, through gateway servers. Gateways can be config¬ured to allow mobile devices to access only required services, while preventing access to the greater Internet. In addition, gateways can be configured to block specific mobile devices from network access if reported as lost or stolen.
Network firewalls can make a network appear invisible to Internet traffic and can block unau¬thorized users from accessing files and systems. Hardware and software firewall systems moni¬tor and control the flow of data in and out of computers in the wired and wireless enterprise, businesses and home networks. They can be set to intercept, analyze and stop a wide range of Internet intruders and hackers.
Many levels of firewall technology are available, including software only or powerful hardware and software combinations. Some WLAN gateways and access points provide built-in firewall capability, but even if they don’t, most WLAN gateways include a routing capability that acts like a basic firewall, making the networked computers and their data invisible to hacking scans and probes.
Wide Area Wireless Communication Security
Wide area wireless technologies such as CDMA, GSM, and GPRS act as bearers or pipelines for the information to be sent and received by the company network. As a safety precaution, com¬panies should only allow network communication with wide area signals that are encrypted by SSL or IPSec. In addition, network access should only be granted to authenticated users.
Internet protocol-based VPNs provide the tunneling and encryption required for business users to safely access their critical applications over wide area connections, using IPSec to ensure the privacy of data traveling over the public Internet.
As businesses support more remote users, VPNs can be designed to support high network availability, ensuring that mission-critical data arrives on time. Additionally, IP-based VPNs can be deployed and integrated easily with existing network infrastructures, enabling enterprises to scale operations to meet the expanding demand for remote access.
Since the technology’s inception, strong security measures have been available for Bluetooth to ensure safe use. The Bluetooth specification provides methods to uniquely bond devices in one-to-one relationships using PIN numbers to identify and verify a particular Bluetooth device. Once bonded, a Bluetooth device may be set to “undiscoverable” mode, thus preventing other Bluetooth devices from “seeing” it during the discovery process and accessing or sending data.
These capabili¬ties -- called pairing (discovery of another Bluetooth device) and bonding (sharing of a PIN key for authentication) -- provide for Bluetooth device authentication. Bluetooth extends device authen¬tication security to protection of transmitted data through the optional use of a 128-bit encryption key for transmitted data.
Educating users to deny requests to pair with a Bluetooth device if the requestor is unknown can eliminate many Bluetooth security breaches. This can become a non-issue by setting the Bluetooth terminal to “undiscoverable” once paired with the intended Bluetooth peripheral.
From an industry perspective, transmission of highly sensitive data over a Bluetooth link – such as funds transfer transactions -- is not recommended.
RFID Security Issues
Often, the data stored on an RFID tag is of a public nature and product related, such as UPC/EPC codes or product descriptions. Generally these descriptions also are copied in human and machine-readable format on printed barcodes. This kind of data requires low or no security.
Companies using RFID technology in other, more security-sensitive environments must protect the data when it is in transit – from the RFID tag to the reader and from the reader to the network. To ensure confidentiality, data should be encrypted as it is written to the tag.
As an additional security measure, part of the data area on a tag may be used to store a crypto¬graphic signature, such as an SHA-1 cryptographic hash, which verifies that the rest of the data reported has not been tampered with. Some or all of the reported data also may be encrypted. Data on RFID tags also can be “locked” to prevent anyone from changing or erasing it.
RFID readers connect to the network in the same way as other network devices, and should be secured in the same manner. Whether the reader-to-network connection is wired or wireless, the precautions described in the device security section above should be implemented. Also, beware that network access control security and financial transactions are better handled with Smart Cards and biometrics; both technologies are superior to RFID at thwarting remote eavesdropping and copying.