SECURITY OF WIRELESS COMMUNICATIONS
Wireless devices, like all technologies that provide external access to corporate networks, present security challenges. With wireless standards and practices still rapidly evolving, it is important to understand the strengths and limitations of available technologies in order to implement a secure solution. Extending current security policies to encompass wireless devices requires an understanding of the security features of both wireless devices and wireless networks.
Purpose of the Study
The purpose of the study was to assist in the decision whether Lotus Development should extend current security policies to encompass wireless devices. The following are critical security questions:
What challenges are faced with wireless security?
How can you verify that the device being used is actually in the hands of an authorized user? How can you enhance the security of the device?
How secure is the over-the-air network between the organization and the wireless device?
How can you secure the wireless session?
Should Lotus development include wireless devices in their security policies?
Research Methods and Procedures
Through traditional and electronic research of books, periodicals, and business journals, secondary research was conducted. Figures were constructed through extensive research and study of interactions of networks.
Wireless Security Challenges
Mobile devices and wireless networks rely on a broad spectrum of technology, much of it cutting-edge. In comparison to PCs, each class of mobile device currently represents a unique hardware and software platform. Mobile phones and PDAs, for example, have varying capabilities and limitations both as computing devices and as client devices accessing corporate networks. The wireless networks that support mobile devices are similarly diverse.
By relying on industry standard protocols like TCP/IP, HTTP, SMTP and TAP, Mobile Services for Domino supports many of the major wireless networks currently in operation. This standards-based approach also provides MSD with a common security model that can operate across wireless networks, while at the same time taking some of the complexity out of doing business with different wireless network providers (Braden, 1997).
However, it is important to understand that there is currently no industry-wide security standard that will work on every mobile device and on every wireless network, in the way that X.509 and SSL span the PC universe. MSD bridges this gap wherever possible by adding its own security features (Freeburg, 1991).
Mobile Device Security
Most mobile devices currently provide only a simple username/password combination to block use of the device (a few also offer local data encryption). And since most users do not employ even this rudimentary level of security, mobile devices like pagers, mobile phones and PDAs are essentially unsecured (Aziz, 1993).
Existing PC-based security mechanisms, such as client certificates, simply don’t exist yet for wireless devices. The main reason is that wireless devices currently lack the computing power necessary to validate a certificate locally. Moreover, each wireless device has its own unique hardware, operating system services and integrated applications. These factors make it difficult to create a standard local security mechanism that can work across all wireless technologies.
Security, moreover, has only recently become a major concern of device vendors. This is because wireless devices have traditionally been targeted at individual users for access to their personal data — not corporate data. But as mobile device usage among corporate customers increases, improved security has become a paramount requirement. As vendors address this growing need, more and more security solutions and proposed standards will emerge (Aziz, 1993).
Device Security Enhancements
MSD supports the full spectrum of wireless devices: from one-way alphanumeric pagers that can receive a simple message from your Domino network; to the latest generation of Web-ready phones equipped with micro-browsers, from which users can access their Notes mail, calendar and corporate directory.
Because of the great diversity of device capabilities, as well as their inherent security limitations, MSD cannot provide security for data stored locally across every device. Instead, MSD provides security for corporate data inside the firewall, by securing it against unauthorized access by wireless devices.
In particular, MSD provides administrators with the ability to (Cohen, 1991):
Associate a specific, authorized user with each mobile device (“Trusted Devices”).
Specify what wireless networks can communicate with MSD (“Trusted IP Addresses”).
MSD’s Trusted Devices feature enables administrators both to know what employee is authorized to use each device, and to control the ability of each user or device to access Domino via MSD. For example, if an employee loses his or her mobile device, an administrator can immediately disable the use of that device with MSD, thus eliminating the risk that an impostor will access the network.
In addition to Trusted Devices, MSD offers a related security feature called Dynamic Device/User Mapping. It works like this: the first time a user successfully enters a valid Domino HTTP username and password from a properly registered mobile device, a record is created in MSD’s configuration database that maps the user’s fully qualified Domino username to a unique device ID (which is received from the device). By default, users can easily clear this record using their mobile devices, in order to share the device with someone else. However, administrators can choose to “lock” the first-time mapping between device ID and username, preventing anyone other than the original, authorized person from using the device (Banan, 1999).
Trusted IP Addresses
MSD enables administrators to register the IP addresses of the WAP gateways they use with MSD. Only HTTP requests from these IP addresses are permitted to use the MSD application. This effectively restricts the proxies that can access an organizational network (Perkins, 1996).
In today’s wireless world, organizations may have little control as to which wireless network its data travels over between the firewall and employees’ mobile devices. And while the Internet offers security standards for authentication and encryption between a remote user’s laptop-based Web browser and a corporate intranet, wireless networks have no analogous, universal security mechanisms. However, many operators using either Code Division Multiple Access (CDMA) or Cellular Digital Packet Data (CDPD) technology provide RSA-based encryption between the phone, cell tower and WAP gateway (Arup, 1993).
Security features common to many wireless networks include the following (Freeburg, 1991):
1.RSA RC4 encryption is in effect for “over-the-air” transmissions between the device and the wireless network.
2.As requests from the micro-browser reach the WAP gateway over the wireless network, they are converted and passed along to the HTTP server. This transformation takes place in real time, using the local memory of the WAP gateway. The possibility of unauthorized access to data during this process is therefore minimal.
3.The WAP gateway can also support HTTP connections, along with various kinds of certificates. This provides enhanced security between the WAP gateway and application servers like Mobile Services for Domino.
This multi-layer approach, illustrated in Figure 1, provides a secure foundation for over-the-air connections (Nichols, 1998).
Figure 1: Over-the-air security in a wireless network
MSD Server Security
As alluded to above, the foundation for all of MSD security capabilities is Domino’s integrated security services. Because MSD is a fully integrated, Domino-based solution, applicable Domino security services are available for use on the MSD server itself. For example, Domino supports port encryption via RSA RC4. As an option, the network communication between MSD and the rest of the Domino environment can be encrypted, providing an excellent way to increase security for corporate data (Davies, 1994).
Not only is a MSD server as secure as any Domino server, it also enables organizations to administer MSD server security the same way all other Domino servers in the environment are managed for security purposes.
Moreover, all additional security capabilities that MSD provides for mobile devices and wireless networks are managed through a common administrative interface, which greatly simplifies administrative control over this aspect of the network infrastructure.
Security between MSD and the WAP Gateway
Connections between a WAP gateway and the MSD server take place over TCP/IP, using HTTP or HTTPS as the transport. This makes it possible to use industry standard mechanisms such as SSL for authentication and encryption of the Internet connection. Because MSD relies on Domino’s native TCP/IP and HTTP support, these connections can be administered through Domino’s administration facilities.
There are two ways to secure data in transit between MSD and the WAP gateway using HTTPS (Saarinen, 1999):
Organizations can use Domino’s port encryption feature to encrypt network data on the specific ports used by MSD to communicate with the WAP gateway. This will result in the automatic encryption of all data both to and from MSD.
Mobile users can append an ‘S’ to the protocol portion (e.g. “HTTP”) of the URL when they initially create a bookmark to the MSD server on their mobile device. This will force the WAP gateway to use SSL between itself and the MSD server.
Security Between MSD and Domino
Because the MSD server acts as a proxy for mobile device users, there is no end-to-end networking session between the mobile device and whatever Domino mail and application servers users need to access. Thus, no software or security changes are required for MSD to work with a given Domino server to access users’ mail files. For example, there is no need to copy users’ mail files to the MSD server (Banan, 1999).
The MSD server uses Domino Remote Procedure Calls (RPC) which are part of Domino’s extensive set of API’s, to collect the requested data on behalf of users. MSD then converts the Domino-format data into the format required by the micro-browser on the mobile device, and delivers it back to the WAP gateway via HTTP. The WAP gateway, in turn, encrypts the HTTP-format data into the data format required by the micro-browser (Arup, 1993).
Because MSD is fully integrated with Domino, the Domino security infrastructure can be used to control which Domino servers and applications the MSD server can access. And because Domino and MSD communicate via Domino’s RPC API, sensitive data like e-mail remains in the Domino network, and is not exposed via HTTP. This is obviously not the case with typical HTTP-based solutions (Cohen, 1991).
Moreover, only specified Domino servers in your network environment are accessible to the controlled list of mobile users and devices, primarily because HTTP support is not required for Domino servers to communicate with the MSD server. This additional security can be implemented by configuring specific Domino server to grant network access privileges to the MSD server, and listing these accessible Domino servers on the MSD server. This greatly reduces the network’s security exposure to the Internet and HTTP (Nichols, 1998).
Robust Domino authentication and encryption is automatically in use between the MSD server and all the other Domino servers from which mobile users can request data. This gives organizations total control over whether the MSD server is certified and how it gains access to other Domino servers in the network.
In addition, organizations can use any of Domino’s supported protocols for connections between MSD and other Domino servers, in addition to TCP/IP. Whatever protocol(s) are used, Domino/MSD server-to-server security is controlled in the same way that all other Domino security mechanisms are managed (Braden, 1997).
Security of a Wireless Session
This section presents a typical example of how wireless access works, and what security features can be enforced at various points in the session:
1.Picture yourself standing in a parking lot holding a Web-enabled cell phone. You want to check your Notes mail using the phone. You begin by connecting to a wireless service provider, and switching the phone to its data-capable mode.
2.From your device menus (configurations vary) choose Mobile Notes; i.e., the shortcut to the URL you use to access MSD. At this point, the phone connects for the first time with Mobile Services for Domino.
3.First and foremost, MSD checks to ensure that the IP address of the WAP gateway is a trusted IP address. If this check fails, you receive the message “Web Service Problem” and access to the Domino network is denied.
4.Next, MSD checks the IP address of your device to ensure it is a trusted device. If not, you receive the message “Web Service Problem” and access to the Domino network is denied.
5.If MSD trusts your device, it next attempts to authenticate you, the user. If this is the first time you’ve connected to MSD, you’ll be prompted for your Notes short name. MSD then checks whether that name appears in the Domino Directory.
6.Next (this being the starting point when you initiate subsequent sessions) you’re prompted for your Internet (HTTP) password, which MSD verifies. If successful, you can choose from among the Mobile Notes menu selections: E-mail, Calendar, Address Book and Switch ID. If the username and/or password is invalid, MSD returns the message “invalid user name” to the device. Figure 2 shows the menu choices.
7.To check your e-mail, select E-mail from the menu. Then choose from among the selections (New Mail, Inbox, New Memo and Search) on the E-mail menu. Your request will go out from the device to the WAP gateway, and then to MSD, before reaching your inbox on the Domino server. Note that, before it returns any data, MSD checks to ensure that you have the appropriate access permission (Manager level) in the Access Control List of your Notes Inbox (Freeburg, 1991).
8.To get new e-mail, select New Mail from the menu. The WAP gateway will then render the first nine new messages in your mailbox in HDML, and pass them to the micro-browser in your phone. Assuming SSL is enabled, each message is encrypted in transmission from the MSD server to the WAP gateway (and vice versa) using SSL. RSA RC4 over-the-air encryption safeguards data between the WAP gateway and your phone.
9.The phone decrypts and then displays each chunk of data as it arrives. You select which messages to read by clicking on them one at a time. To receive more data, select More. Select Back to review data you’ve already received. (Note that, since the micro-browser caches the data it receives for the session, unauthorized access is possible if the phone is lost or stolen while the session is in progress.) Mobile access is a browser-centric experience, in the sense that nothing resides on the phone itself once the session is terminated. Messages sent to your phone are marked as read in your Notes mailbox. When you choose Delete, the message is deleted on your Domino mail server (Maney, 2000).
Figure 2: Mobile Notes menu options on a Web-ready cell phone
Additional Security Tips
Because Mobile Services for Domino relies on TCP/IP and HTTP connections in order to communicate with each wireless service provider’s WAP gateway, it is important to carefully evaluate the location of the MSD server in a network topology.
This section illustrates three scenarios that can help make network connections between MSD and the WAP gateway more secure. Note: That these considerations are valid not only when deploying MSD, but with respect to any TCP/IP and HTTP server that may be exposed outside of the corporate firewall (Cohen, 1991).
Figure 3 shows a network configuration that employs all of these security features.
Figure 3: Extra security between MSD and a WAP gateway
In this scenario, an Internet connection is used, for example, from an ISP of choice. The MSD server could be available on port 80 (the default for Domino HTTP); and port 443, which is the default Domino HTTP SSL port.
Disabling all other (unused) Domino ports on the MSD server will further protect the server. Only those ports needed for processes like Domino replication and access to other Domino servers should be enabled between the MSD server and the rest of a Domino network (Nichols, 1998).
In addition, you can use a third-party Certificate Authority to validate the credentials of the Internet Service Provider and their WAP gateway, and require the use of SSL for communication between the service provider and their gateway.
Most extranet networks today that are based on Web standards employ the use of some form of DMZ, or Demilitarized Zone (also referred to as a “double firewall”). In this configuration, the MSD server is positioned between two corporate firewalls. One firewall, on the Internet side, should only allow traffic from specific, trusted IP addresses in to the MSD server. The other, on the Domino network side, should only allow the MSD server to communicate with specific Domino servers, via specific (and optionally encrypted) ports (Abhaya, 1994).
In a virtual private network (VPN) environment, a leased-line T1 circuit, Frame Relay or ATM-type connection is installed directly between the Wireless Server Provider and the corporate network. This provides a more secure connection, by virtue of creating a private “tunnel” that bypasses the public Internet altogether. A VPN also provides a much more reliable transport because it is not dependent on the Internet for connectivity. Another benefit of private networks, such as those implemented via frame relay, is that they can be much faster than some Internet connections (Aziz, 1993).
Wireless access to corporate data from mobile devices such as Web-enabled cell phones, pagers and PDAs has become a fact of corporate life. Organizations must fully understand the security implications of this type of access to keep their proprietary data secure. Mobile Services for Domino, along with the Domino Server itself, provide one of the most secure wireless access solutions available today.
While there is currently no true end-to-end authentication and encryption for wireless data access as there is in the PC world, MSD addresses many of the most critical security concerns that are inherent when users access corporate and personal data from mobile devices. Key MSD security features include (Cohen, 1991):
Trusted IP Addresses, enabling the MSD server to accept connections only from the IP addresses of approved wireless service providers.
Trusted devices, enabling MSD to associate a specific wireless device with a specific user.
Dynamic device/user mapping, which allows only an assigned, authorized user to use a specific wireless device.
Username/password authentication, enabling MSD to authenticate each user for each session.
Access Control List verification, which ensures that an authenticated user has the correct access permissions to access his or her Notes mailbox, before MSD sends any data.
As wireless security standards emerge, networks and servers will do their best to boost security.But without the current security policies including wireless, they might go un-upgraded.
Aziz, Ashar and Whitfield Diffie: Privacy and Authentication for Wireless Local Area Networks, Sun Microsystems Inc, IEEE Personnal Communications, Volume 1, Number 1, July 1993, Pages 25–31.
Abhaya, Asthana and Mark Cravatts and Paul Krzyzanowski: An Indoor Wireless System for Personalized Shopping Assistance, AT & T Bell Laboratory, IEEE Workshop on Mobile Computing Systems and Applications, Santa Cruz, CA, US, December 1994
Arup, Acharya and B. R. Badrinath: Delivering Multicast Messages in Networks with Mobile Hosts, Rutgers University, 13th International Conference on Distributed Computing Systems, Pittsburgh, US, May 1993, Pages 292–299
Banan, M. Neda’s Efficient Mail Submission and Delivery (EMSD) Protocol Specification Version 1.3. Request for Comments (Informational) 2524, Neda Communications, Inc., February 1999.
Braden, R. et al. Resource ReSerVation Protocol (RSVP) Version 1 Functional Specification. Internet Request for Comments, RFC-2205, September 1997.
Cohen, D. and J. B. Postel and R. Rom: IP Adressing and Routing in Local Wireless Network, July 1991.
Davies, Nigel and Stephen Pink and Gordon S. Blair: Services to Support Distributed Applications in a Mobile Environment, Lancaster University, Swedish Institute of Computer Science, First International Workshop on Services in Distributed and Networked Environments, Prague, Rpublique Tchque, June 1994.
Freeburg, T. A. Enabling Technologies for Wireless In-Building Network Communications – Four Technical Challenges, Four Solutions, IEEE Communications Magazine, April 1991, Pages 58–64.
Grice, Corey. Geoworks Soars on Wireless Licensing Plans. Staff Writers, CNET News.com, January 2000.
Johnson, K. and C. Perkins. Mobility Support in IPv6. Internet Draft, draft-ietf-mobileip-ipv6-12.txt, April 2000.
Kevin Maney. Cell Phones Let the Web ‘go mobile’. USA TODAY Online, February 2000.
Nichols, K. and D. Black. Definition of the Differentiated Services Field (DS Field) in the IPv4 and IPv6 Headers. Internet Request for Comments, RFC-2474, December 1998.
Perkins, C. IP Mobility Support. Internet Request for Comments, RFC-2002, October 1996.
Saarinen, Markku-Juhani Attacks Against The WAP WTLS Protocol. University of Jyvskyl, 1999.