Security Issues in large scale wireless and VoIP deployment

1
Security Issues in large scale wireless and VoIP
deployment
Wi-Fi Summit - October 2005

• Andrew Yeomans
• VP Global Information Security
• Dresdner Kleinwort Wasserstein
• Andrew.Yeomans_at_drkw.com

2
Dresdner Kleinwort Wasserstein (DrKW)

• DrKW is the investment bank of Dresdner Bank AG
• Member of the Allianz Group
• Headquartered in London and Frankfurt, offices in
  New York, Chicago, San Francisco, Boston, Tokyo,
  Sao Paulo, Paris, Milan, Beijing, Shanghai, Hong
  Kong, Luxembourg, Kuala Lumpur, Warsaw, Moscow,
  St. Petersburg, Singapore, Johannesburg, Madrid,
  Zürich
• Employs approximately 6,000 people around the
  world
• More than 2 billion operating income in 2004

3
Relocation to 30 Gresham Street, London
4
With latest technologies

• Voice-over-IP (fixed and mobile)
• Wireless 802.11
• Guest wireless internet access for visitors
• Staff access in meeting rooms

5
With latest technologies
6
Desire and lust for shiny new technology!

• Truly mobile computing
• Work from the coffee lounge or canteen
• Wireless IP phone from anywhere in building
• Technology is cool
• Of course its secure!

7
Fear, Loathing and Rejection (Jim Herbeck)

• Protocol flaws
• Implementation flaws
• Usability need another mobile?
• War driving, War chalking
• AirSnort, Kismet, WEPcrack
• Denial of Service
• but are these real?

8
What can you do with an old laptop and a scenic
view?
9
And a couple of old techies?
10
Results

• 150 wireless networks seen
• Just using internal PCMCIA aerial
• Only half used WEP encryption (some are hotspots)
• With aerial can pick up Canary Wharf 4 km away
• The Feds can own your LAN too in 3 minutes
• http//www.tomsnetworking.com/Sections-article111.
  php
• Packet injection attacks

11
And thats not all

• Use in hotspots real or fake?
• Home networks set up securely?
• Location-sensing required e.g. personal
  firewalls
• Insider threats inadvertent and malicious
• Stolen devices (with keys)
• Other wireless devices

12
Floods of vulnerabilities
13
Means anticipating failure
14
But the new devices fix it, dont they?

• "Those who cannot remember the past are condemned
  to repeat it." - George Santayana, The Life of
  Reason
• WEP -gt WPA -gt WPA2 (802.11i) -gt ??
• But devices are upgradable.. Or are they?
• And it takes years to flush out the old equipment
• So hotspots support least common denominator
• So have to run IPsec or SSL/TLS instead
• Unless you really can design from new

15
In conclusion

• Assess risks
• Confidentiality, Integrity and Availability are
  still key
• Anything can go wrong so be prepared for
  failure
• Put appropriate policy controls in place
• Trust but verify check configurations,
  monitor data
• Work with your security people
• And reap the business benefits!

16
Questions?
Wi-Fi Summit - October 2005

• Andrew Yeomans
• VP Global Information Security
• Dresdner Kleinwort Wasserstein
• Andrew.Yeomans_at_drkw.com