Security Issues in large scale wireless and VoIP deploymentSecurity Issues in large scale wireless and VoIP deployment

Andrew Yeomans

VP Global Information Security

Dresdner Kleinwort Wasserstein

Andrew.Yeomans@drkw.com

Wi-Fi Summit - October 2005

2

Dresdner Kleinwort Wasserstein (DrKW)

• DrKW is the investment bank of Dresdner Bank AG

• Member of the Allianz Group

• Headquartered in London and Frankfurt, offices in New York, Chicago, San Francisco, Boston, Tokyo, Sao Paulo, Paris, Milan, Beijing, Shanghai, Hong Kong, Luxembourg, Kuala Lumpur, Warsaw, Moscow, St. Petersburg, Singapore, Johannesburg, Madrid, Zürich

• Employs approximately 6,000 people around the world

• More than € 2 billion operating income in 2004

3

Relocation to 30 Gresham Street, London

4

With latest technologies

• Voice-over-IP (fixed and mobile)

• Wireless 802.11

• Guest wireless internet access for visitors

• Staff access in meeting rooms

5

With latest technologies

6

Desire and lust for shiny new technology!

• Truly mobile computing –

• Work from the coffee lounge or canteen

• Wireless IP phone from anywhere in building

• Technology is cool

• Of course it’s secure!

7

Fear, Loathing and Rejection (Jim Herbeck)

• Protocol flaws

• Implementation flaws

• Usability – need another mobile?

• War driving, War chalking

• AirSnort, Kismet, WEPcrack

• Denial of Service

• … but are these real?

8

What can you do with an old laptop and a scenic view?

9

And a couple of old techies?

10

Results

• 150 + wireless networks seen

• Just using internal PCMCIA aerial

• Only half used WEP encryption (some are hotspots)

• With aerial can pick up Canary Wharf – 4 km away

• “The Feds can own your LAN too” – in 3 minutes

• http://www.tomsnetworking.com/Sections-article111.php

• Packet injection attacks

11

And that’s not all …

• Use in hotspots – real or fake?

• Home networks – set up securely?

• Location-sensing required – e.g. personal firewalls

• Insider threats – inadvertent and malicious

• Stolen devices (with keys)

• Other wireless devices

12

Floods of vulnerabilities

13

Means anticipating failure

14

But the new devices fix it, don’t they?

• "Those who cannot remember the past are condemned to repeat it." - George Santayana, The Life of Reason

• WEP -> WPA -> WPA2 (802.11i) -> ??

• But devices are upgradable.. Or are they?

• And it takes years to flush out the old equipment

• So hotspots support least common denominator

• So have to run IPsec or SSL/TLS instead

• Unless you really can design from new

15

In conclusion

• Assess risks

• Confidentiality, Integrity and Availability are still key

• Anything can go wrong – so be prepared for failure

• Put appropriate policy controls in place

• Trust – but verify – check configurations, monitor data

• Work with your security people

• And reap the business benefits!

Questions?Questions?

Andrew Yeomans

VP Global Information Security

Dresdner Kleinwort Wasserstein

Andrew.Yeomans@drkw.com

Wi-Fi Summit - October 2005