Network Security

Lecture 9

Presented by: Dr. Munam Ali Shah

 Summary of the previous lecture
 We talked about different types of security attacks for
wireless networks such as man-in-the middle attack,
spoofing, wardrive etc.
 We discussed how different solution could be used to
secure our wireless networks. Some of the solutions we
discussed are limiting the signal of wireless network and
use of encryption
 We also studies about mobile networks and specialized
attacks that can breach the security of a wireless
network.
 Outlines of today’s lecture
We will continue our discussion on:
 Mobile Device Security
Mobile Device Security Strategy
 Robust Security Network (RSN) and IEEE802.11i
 Network Security Model
 Objectives
 You would be able to present an overview of security
threats and countermeasures for mobile networks.
 Understand the basics of IEEE802.11i standard for
robust security
 Describe the principal elements for a network security
model.
 Mobile Device Security Strategy
 With the threats for mobile networks discussed in
Lecture 8, Let us now see the main elements of a mobile
device security strategy. They fall into three categories:
 device security
 client/server traffic security
 barrier security
 1. Device Security
 Different organizations supply mobile devices for employee
use and preconfigure those devices to ensure company
security policy.
 Some organizations adopt bring-your-own-device (BYOD)
policy that allows personal devices to access company’s
resources
 For BYOD policy, the IT staff should:
Inspect each device before allowing networks access
Establish configuration guidelines, e.g., rooted or jail-
broken devices should not be permitted
The device must not be allowed to store company’s
contacts on mobile
 Device Security (cont.)
 Following security controls should be configured on the
mobile devices
Enable auto-lock
Enable SSL (secure socket layer)
Enable password or PIN protection
Avoidusing auto-complete features that remember
passwords
Enable remote wipe
Make sure that software, including operating systems
and applications, is up to date.
Install antivirus software as it becomes available.
Examples of device Security
 Device Security (cont.)
Either sensitive data should be prohibited from storage on
the mobile device or it should be encrypted.
IT staff should also have the ability to remotely access
devices, wipe the device of all data, and then disable the
device in the event of loss or theft.
The organization may prohibit all installation of third-party
applications
 implement and enforce restrictions on what devices can
synchronize and on the use of cloud-based storage
Disable location services
Employees training
 2. Traffic Security
 Traffic security is based on the usual mechanisms for
encryption and authentication. All traffic should be
encrypted and travel by secure means, such as SSL or
IPv6. Virtual private networks (VPNs) can be configured so
that all traffic between the mobile device and the
organization’s network is via a VPN.
 Traffic Security (Cont.)
 A strong authentication protocol should be used to limit
the access from the device to the resources of the
organization. A preferable strategy is to have a two-layer
authentication mechanism, which involves authenticating
the device and then authenticating the user of the
device.
 Barrier Security
 The organization should have security mechanisms to
protect the network from unauthorized access. The
security strategy can also include firewall policies
specific to mobile device traffic.
 Firewall policies can limit the scope of data and
application access for all mobile devices. Similarly,
intrusion detection (IDS) and intrusion prevention
systems (IPS) can be configured to have tighter rules for
mobile device traffic.
Mobile Device Security Strategy
 Robust Security Network (RSN)
 Wireless LAN are different from wired LAN in following
ways:
Physical connection acts as a form of
authentication
A wired LAN provides a degree of privacy, limiting
reception of data to stations connected to the LAN.
On the other hand, with a wireless LAN, any station
within radio range can receive.
 Robust Security Network (RSN)
 These differences between wired and wireless LANs
suggest the increased need for robust security services
and mechanisms for wireless LANs.
 The original 802.11 specification included a set of
security features for privacy and authentication that were
quite weak. For privacy, 802.11 defined the Wired
Equivalent Privacy (WEP) algorithm. The privacy
portion of the 802.11 standard contained major
weaknesses.
 Subsequent to the development of WEP, the 802.11i task
group has developed a set of capabilities to address the
WLAN security issues.
 RSN
 The final form of the 802.11i standard is referred to as
Robust Security Network (RSN).
 The 802.11i RSN security specification defines the
following services.
Authentication

Access Control
Privacy with message integrity
 RSN Services
 Authentication: A protocol is used to define an exchange
between a user and an Authentication Server (AS) that
provides mutual authentication and generates temporary
keys to be used between the client and the AP over the
wireless link.
 Access control: This function enforces the use of the
authentication function, routes the messages properly, and
facilitates key exchange. It can work with a variety of
authentication protocols.
 Privacy with message integrity: MAC-level data such as
frames are encrypted to ensure that the data have not
been altered.
 IEEE802.11i Five Phases of Operation
 Discovery
 Authentication
 Key generation and distribution
 Protected data transfer
 Connection Termination
IEEE802.11i Five Phases of Operation
 Network Security Model
 Security aspects come into play when it is necessary or desirable to protect
the information transmission from an opponent who may present a threat to
confidentiality, authenticity, and so on. All the techniques for providing
security have two components:
 A security-related transformation on the information to be sent.
Examples include the encryption of the message, which scrambles
the message so that it is unreadable by the opponent, and the
addition of a code based on the contents of the message, which can
be used to verify the identity of the sender.
 Some secret information shared by the two principals and, it is
hoped, unknown to the opponent. An example is an encryption key
used in conjunction with the transformation to scramble the message
before transmission and unscramble it on reception
 Model for Network Security
 This general security model shows that there are four
basic tasks in designing a particular security service:
1. Design an algorithm for performing the security-related
transformation. The algorithm should be such that an
opponent cannot defeat its purpose.
2. Generate the secret information to be used with the
algorithm.
3. Develop methods for the distribution and sharing of the
secret information.
4. Specify a protocol to be used by the two principals that
makes use of the security algorithm and the secret information
to achieve a particular security service.
Model for Network Security
 Summary of today’s lecture
 We talked about different security measures that can be used to make a
mobile network secure
 We also talked about IEEE802.11i standard which ensures security in a
WLAN by using different protocols
 Lastly, we discussed network security model which provides detail of what
need to be protected against whome.
 Next lecture topics
 Our discussion on Network security will continue and we
will see some new paradigms of ensuring security
 We will see some examples and protocols which are
used to secure a communication in a practical fashion
The End