160 likes | 253 Views
Andrew Yeomans VP Global Information Security Dresdner Kleinwort Wasserstein Andrew.Yeomans@drkw.com. Wi-Fi Summit - October 2005. Security Issues in large scale wireless and VoIP deployment. Dresdner Kleinwort Wasserstein (DrKW). DrKW is the investment bank of Dresdner Bank AG
E N D
Andrew Yeomans VP Global Information Security Dresdner Kleinwort Wasserstein Andrew.Yeomans@drkw.com Wi-Fi Summit - October 2005 Security Issues in large scale wireless and VoIP deployment
Dresdner Kleinwort Wasserstein (DrKW) • DrKW is the investment bank of Dresdner Bank AG • Member of the Allianz Group • Headquartered in London and Frankfurt, offices in New York, Chicago, San Francisco, Boston, Tokyo, Sao Paulo, Paris, Milan, Beijing, Shanghai, Hong Kong, Luxembourg, Kuala Lumpur, Warsaw, Moscow, St. Petersburg, Singapore, Johannesburg, Madrid, Zürich • Employs approximately 6,000 people around the world • More than € 2 billion operating income in 2004
With latest technologies • Voice-over-IP (fixed and mobile) • Wireless 802.11 • Guest wireless internet access for visitors • Staff access in meeting rooms
Desire and lust for shiny new technology! • Truly mobile computing – • Work from the coffee lounge or canteen • Wireless IP phone from anywhere in building • Technology is cool • Of course it’s secure!
Fear, Loathing and Rejection (Jim Herbeck) • Protocol flaws • Implementation flaws • Usability – need another mobile? • War driving, War chalking • AirSnort, Kismet, WEPcrack • Denial of Service • … but are these real?
Results • 150 + wireless networks seen • Just using internal PCMCIA aerial • Only half used WEP encryption (some are hotspots) • With aerial can pick up Canary Wharf – 4 km away • “The Feds can own your LAN too” – in 3 minutes • http://www.tomsnetworking.com/Sections-article111.php • Packet injection attacks
And that’s not all … • Use in hotspots – real or fake? • Home networks – set up securely? • Location-sensing required – e.g. personal firewalls • Insider threats – inadvertent and malicious • Stolen devices (with keys) • Other wireless devices
But the new devices fix it, don’t they? • "Those who cannot remember the past are condemned to repeat it." - George Santayana, The Life of Reason • WEP -> WPA -> WPA2 (802.11i) -> ?? • But devices are upgradable.. Or are they? • And it takes years to flush out the old equipment • So hotspots support least common denominator • So have to run IPsec or SSL/TLS instead • Unless you really can design from new
In conclusion • Assess risks • Confidentiality, Integrity and Availability are still key • Anything can go wrong – so be prepared for failure • Put appropriate policy controls in place • Trust – but verify – check configurations, monitor data • Work with your security people • And reap the business benefits!
Andrew Yeomans VP Global Information Security Dresdner Kleinwort Wasserstein Andrew.Yeomans@drkw.com Wi-Fi Summit - October 2005 Questions?