During the presentation on “Vulnerabilities in WIFI / Dual-mode VoIP Phones”, presented by Sachin Joglekar, he looked at security in a number of different ways. When reviewing these types of devices, the first goal is understanding the general issues of these dual mode mobile devices, and the second to look at specific aspects of these brands and models.
In general, there are a number of key issues, the first is the operating system of these devices, and how it handles this mobile end-point with its inherent security issues. The second point is the applications that these mobile devices run and the security issues related to these devices associated with the enterprise network. The third set are the vulnerabilities this end-point introduces to the Enterprise network during hand-off between public networks and private networks with the impact on performance verses security.
When looking to introduce mobility solutions we must understand the security impact on the Enterprise. When multiple intelligent phones are introduced each has it own OS. These phones potentially have similar security risks as their full sized brethren. OS like Microsoft CE cannot run full firewalls and virus checkers, so this device can be targeted for malicious use.
The applications can provide the new doors for access to the Enterprise network. Examples include e-mail, calendar, and Instant Messaging and CRM applications. Each of these may allow new attack vectors to be accessed unbeknownst to the user of these services.
When we run applications in a mobile environment, we perform device Authentication and Authorization to each end-point. When we allow handoff from each network, we require both the data level access control and VoIP client Network Access Control. With multiple handoffs both up to the cellular network and down to the WiFI network, a trust model needs to be identified and executed upon, without degrading the real-time nature of the VoIP network.
Through the looking Glass:
Like many other Network devices, a standard needs to be adopted and adhered to. This standard needs to be determined by first identifying the application requirements and second designing and testing the security aspects of the application in a limited pilot program. Once the appropriate infrastructure and end-point protection is set up in the DMZ, and a complete risk, reward evaluation has been completed, then these devices and applications can be introduced in a production environment. A corporate policy outlining the use of mobility devices and re-enforcing the issues of Privacy, Customer Privacy and Security should also be introduced and each user signing this policy, just as you would approve the use of a VPN for a remote worker.
The complications due to multiple hand-offs between the public network and the internal private 802.11 network, means these devices today need to be treated as a hostile device outside the DMZ until Network Access at the Data and Voice Client level can be established. Currently this is the most difficult security vulnerability area to remediate. Expectations of the users, typically executives with the just do it attitude, do not understand the complexity vs. connivance of this aspect of security.
R S S feed
