GSM APN Security Weakness Demonstrated Live at Conference

The issues surround the inherent security weaknesses using an APN with GSM-based cellular networks (like GPRS). The associated Rysavy Research White Paper illustrates this concern with a possible "hack". This technique has been demonstrated live at a public security conference a month or so ago, using a £1,000 piece of equipment, and is reported in the UK press here.

This demonstrates why Government Connect has ruled that APNs are not considered a secure solution, and in order to achieve GSi CoCo compliance, public sector organisations must implement a VPN, such as NetMotion Mobility XE, which accommodates the security and management demands of the Code of Compliance for mobile working.

This is true for Windows on laptops and tablets (such as Windows XP, Vista and Windows 7) even though that operating platform has a pretty mature security architecture inherent in its design. For local government organisations that have invested in Widows Mobile devices, it becomes especially important, as those organisations try to make the most of that investment. Read on to see how an investment in Windows Mobile can be justified by simply adding on a piece of software (NetMotion Mobility XE) to make it GSi CoCo compliant.

Let's look at this a bit more closely. To implement security policies and to most effectively design their security architectures, network managers must understand the security features of the networks they are using, as well as their limitations. The Rysavy white paper discusses security recommendations and regulations, reviews the security mechanisms available with public wireless networks, explains where they fall short, and concludes that only an end-to-end security approach such as a mobile VPN can fully address the security needs for many applications.

"In the case of user authentication, network operators are primarily concerned with fraudulent use of their network, and so the authentication mechanisms are designed to ensure that only legitimate devices connect to the network.

With Global Systems for Mobile Communications (GSM) networks, for instance, the network validates the credentials in the Subscriber Identity Module (SIM) card. In 2G cellular networks, there are no provisions to authenticate the network to the user system.

This allows man-in-the-middle attacks where an attacker could operate a low-power equipment that simulates a wireless network, and could acquire user credentials."

Focussing on the investment local authorities have made in Windows Mobile devices: on its own the Windows Mobile operating system is vulnerable. However, once you implement NetMotion Mobility XE on the device, the software brings the security level of the operating system up to that of "big" Windows (XP, Vista or Windows 7) by replacing so-called NTLM version 1 with NTLM version 2. The Mobility XE software also locks down the device, as it does on laptops and tablets, and forces all communications to go through a secure, end-to-end encrypted tunnel via the NetMotion Mobility server at the IT centre, thus eliminating the concerns people have with the inherent insecurity of Windows Mobile. (As an aside, for organisations the use RSA SecurID or other two-factor authentication systems, putting NetMotion Mobility XE on a Windows Mobile device extends that two-factor authentication token to Windows Mobile devices also).

A growing number of UK Local Authorities have selected NetMotion Mobility to ensure productivity for their end users, improved management control for IT and at the same time offering GSi CoCo compliance for mobile working. These organisations including Birmingham, Westminster, Wolverhampton and Bournemouth City Councils, Harrow Council, Durham County Council, Oxfordshire County Council, Powys County Council, Derby Homes and several district councils.

NetMotion Mobility XE helps Local Authority customers achieve GSi CoCo compliance for their wireless deployments as it meets 6 of the 7 specific requirements for mobile working. Thus:

• NetMotion Mobility encrypts data while in transit using a method and encryption libraries which are FIPS140-2 certified.
• Policy Management and Network Access Control capabilities permit the portable electronic devices to be authorised, managed, configured and operated in accordance with CESG Guidance.
• Mobility's support for X.509v3 PKI user certificates and device registration methods ensures that remote connections are only permitted from authorised, official and managed devices.
• Mobility's extensive logging and reporting capabilities through our Analytics Module enables Network Managers and Security Officers to maintain detailed records of the connection and usage activity of every remote and mobile connection.
• The Mobility client installed on each device is a Transport Layer Proxy Firewall, which can be centrally configured to block or allow access to specific data streams, applications, ports, protocols etc.
• NetMotion Mobility supports strong two-factor authentication for all remote and mobile devices including Windows Mobile.

To place this in context of GSi Section 10 Mobile/Home Working:

• Data at rest or in transit must be encrypted (FIPS* 140-2) - Securing data at rest is not in the scope of a mobile VPN such as NetMotion Mobility XE (that is for products Symantec, SOTI, BeCrypt, Credant and the like). NetMotion offers locked down end-to-end data in transit encryption over any network type - both for "big" Windows and handhelds - without distracting the end user
• Portable electronic devices must be authorised, managed, configured and operated in accordance with CESG Guidance. NetMotion Mobility's architecture model means that only authorised, registered devices that can pass the organisation's strong authentication will be allowed onto the trusted network. All configuration is mandated from the centre - the end user has no freedom to act (unless explicit policy decisions require exceptions). The addition of Policy Management and NAC offers fine grain control over what is allowed over which type of network interface, by user, device, application network address etc. An analytics reporting module offers an alert facility to send SNMP, SYSLOG or email alerts of security concerns.
• All remote connections must be from authorised, official and managed devices. See bullet above. All unrecognised devices can either be rejected or quarantined. In addition with X.509 v3 PKI device certificates, a user's authentication can be restricted to a specific device or devices. Analytics offers an alert facility to send SNMP, SYSLOG or email alerts of security concerns.
• Detailed records of the connection and usage activity of every remote and mobile connection must be maintained. Analytics keeps very detailed audit records by device, application, user network type etc. (beyond what any other VPN offers) for a default of 13 months (can be as long as five years).
• Personal Firewalls must be installed, enabled and subject to configuration management on all remote working devices. In addition to the architecture of Mobility XE locking down all network interfaces (they are accessible only to Mobility XE traffic between applications and the server at the centre - no uncontrolled direct access to the internet) - with the Network Access Control module (NAC) any existing firewalls, antivirus and anti-malware packages can be automatically health-checked and, if need be, remediated automatically, prior to allowing any data to flow to the trusted network.
• Two-factor authentication must be used for all remote and mobile devices. NetMotion Mobility XE includes integrated support for RSA SecurID (as certified by RSA). Other two-factor authentication packages are supported through an interface to RADIUS (as used by many customers). In addition Mobility XE includes support for Smartcards and PKI certificates for users and device, both on "big" Windows and for handhelds.