452 Chapter 10 • Securing Your Wireless Web to an independent audit. Some service providers will provide an independent audit report, but it is still necessary to consider the scope and the age of an audit report. Secure Application Interfaces Wireless applications and servers typically communicate with back-end data sources and applications such as databases and legacy applications. In a typical three-tier architecture (Web browser,Web server plus middleware, and back-end application) a Web server is exposed to the Internet while back-end applications reside within more secure regions of the network. Communication with back- end systems should be implemented using secure protocols and, if possible, through private networks. If an ASP is used, a VPN or private network connec- tion may be configured, but this does not provide security through to the Web or server or mobile application; only to the service provider’s network. The best way to address the issue of secure communications between applica- tions is for servers to communicate using a secure protocol such as SSL. If this is not possible, a VPN and a private WAN connection is the best solution when using a service provider and a private LAN between machines at the data center is recommended (This can be accomplished by adding a secondary network interface card to each server and explicitly configuring the IP addresses or net- work route to the sister servers. Problems of a Point-to-Point Security Model Theoretically, the problem of point-to-point security architectures can never be fully resolved.The only solution is end-to-end security. Of course, point-to-point security can provide additional layer of security as a conduit for communications secured through a PKI.The advantage of going with the flow on point-to-point security is that you retain complete flexibility with respect to devices and the locations of users as they travel, assuming that your mobile application software operates globally. Sniffing and Spoofing Sniffing is the process of collecting raw information from a network then fil- tering it for information related to specific users, machines, or applications. Spoofing refers to simulating a node on a network in order to redirect users to a replica of an application and deceiving them into unknowingly revealing pass- words or credit card numbers.As a rule, unencrypted communication can be observed and falsified without detection. PKI security eliminates this possibility. www.syngress.com 159_wg_wi_10 10/22/01 5:47 PM Page 452 Securing Your Wireless Web • Chapter 10 453 Session Management and URL Rewriting On the Web, cookies are used to maintain state between Web browsers and Web servers. On the wireless Web not all browsers support cookies. In the absence of a PKI, less secure methods of maintaining state, such as URL rewriting, must there- fore be used. URL rewriting allows applications to maintain their last state inde- pendent of cookies by rewriting the URLs sent to the browser in such a way that when the user browses to the rewritten URLs within an application, the server is able determine that the request has come from a specific user.This method poses a security risk since URLs of this kind could be sniffed off the wire and used by hackers to bypass normal authentication before accessing the application. If the algorithms for URL rewriting can derived by a hacker, arbitrary information or transactions can be accessed for a given server or application. Man-in-the-Middle Attack A man-in-the-middle is a person who intercepts communications passing through a point where it is unencrypted (such as a WAP gateway), and then replaces the original communication with a false communication that is made to appear legitimate.When the recipient of the false communication responds, they believe that they are dealing with the person who originated the communication rather than the man in the middle. In practice, exploiting this theoretical vulnera- bility would require a combination of specialized software either installed on a mobile operator’s WAP gateway or interposed in the communication path through spoofing. SECURITY ALERT ■ Cracking Cracking is the practice of guessing a user’s password. Since most users choose weak passwords, the best way to crack a password is to know things about the user such as important dates or names of children or pets. Systematic guessing can be automated by writing a program that attempts to enter things such as the words in the dictionary as a user’s password. The best defense is a good password and a system that does not tol- erate failed login attempts. ■ Hacking Hacking is a much overused term and it has more than one meaning. The original and most common use refers to pro- gramming or working with computers in an obsessive way, espe- cially if the result of this work is ingenious. In the 1980’s the www.syngress.com 159_wg_wi_10 10/22/01 5:47 PM Page 453 454 Chapter 10 • Securing Your Wireless Web terms was applied to people who broke into computer systems or wrote malicious programs such as computer viruses. ■ Sniffing Capturing raw network traffic and filtering it to look for specific information. Information in the clear can be read by anyone with the hardware and software necessary to sniff the or network. ■ Spoofing Spoofing refers to methods of simulating the identity of a machine or application in a network. This can be done either at the hardware level (assuming control of a network route) or a physical or logical level (network address and soft- ware applications). The best defense is a PKI because end-to-end security technologies can detect if one end of the communica- tion has is inauthentic. No Complete Solution Although a point-to-point security model sounds reasonable, it is a fundamentally flawed and limited approach.Whenever data is unencrypted it is vulnerable, and from a security standpoint it would be clearly incorrect to assume that acciden- tally transmitting data over the Internet in the clear because of an improper WAP gateway configuration is a worthwhile risk. Similarly it would be a mistake to assume that all WAP gateways or WASP data centers are secure.WTLS may be secure, but the question is irrelevant if the security it provides stops at the WAP gateway. Each juncture within the current wireless security patchwork is a vul- nerability that can, at least in theory, be exploited. One key to good security is the attitude that even the most obscure vulnerabilities are unacceptable if there is any way that they can be avoided. PKI Technology and End-to-End Security Models The promise of Public Key Infrastructure security is complete end-to-end secu- rity where communications remain secure even if intercepted.This is because there is no point between the mobile device and the Web server or mobile appli- cation where data are unencrypted. In contrast to the point-to-point WTLS secu- rity model, PKI security provides end-to-end security (see Figure 10.7) by deploying digital certificates to client applications such as wireless browsers.A PKI may be used to provide strong security within an enterprise or between www.syngress.com 159_wg_wi_10 10/22/01 5:47 PM Page 454 Securing Your Wireless Web • Chapter 10 455 businesses since a PKI provides the security necessary for secure business transac- tions over the Internet. Although PKIs are relatively common within large corporate networks and on the Internet, certificate-based encryption technologies and PKIs are not widely deployed on the wireless Web. For several reasons, there is no dominant standard for wireless digital certificates and PKI technologies. ■ Different PKI security technologies and competing vendors ■ Different wireless browsers ■ Limited bandwidth, device capacity, and processing power ■ Albatross of incompatible legacy devices already deployed ■ Lack of global standards for browsers and devices In the past, the adoption of PKI security on the Web has concentrated on industries and focused only on applications that deal with the most sensitive data, rather than becoming ubiquitous.The wireless Web is no different, and you, the www.syngress.com Figure 10.7 End-to-End Security Model Internet Wireless Network Web Server WAP Gateway PKI technology provides end-to- end encryption. WAP Phone 159_wg_wi_10 10/22/01 5:47 PM Page 455 456 Chapter 10 • Securing Your Wireless Web wireless Webmaster, need to decide if there is a return on investment for the expense and overhead of deploying a PKI. How to Deploy a PKI Devices that support PKI security technology are not widely deployed today. Every PKI implementation is unique to the organization or application that requires security. For this reason, PKI technology is not an off-the-shelf product or turnkey solution.To deploy a PKI you have to first select a wireless PKI tech- nology and a vendor.The technology and vendor you select depends on the application and on the wireless browser and devices that you wish to deploy. Server Side PKI Integration Most wireless PKI vendors provide a server-side Software Development Kit (SDK) that allows their technology to be integrated with wireless applications, and some wireless application platforms and WASPs already support one of the leading PKI solutions. Client Side Devices PKI technologies must be supported both in a client application, such as a wire- less browser, and in a server application. Deploying a PKI for the wireless Web means standardizing on a specific wireless browser and on the devices that sup- port the selected browser.There are several available wireless browsers that sup- port PKI technologies, but this by itself is not a complete solution because the server must support the same technology as the browsers and the PKI must deployed in order to be used .As a rule, existing devices cannot be upgraded to support the latest PKI security technologies so deployment of new mobile devices along with a PKI solution is a routine approach. Choosing a Certificate Authority Deployment of a PKI for both the Web and the wireless Web depends on the deployment of a Certificate Authority (CA).When a client certificate is generated, the algorithm uses the creator’s root certificate and digitally signs the client certifi- cate.The root certificate is the basis for trust between clients and servers that share certificates with a common root. Every organization that deploys a PKI must decide what CA to use. For your organization’s CA, you can choose either a com- mercial security technology vendor such as Certicom, Diversinet, or Baltimore, or you can use their software to establish you own CA. For interoperability between www.syngress.com 159_wg_wi_10 10/22/01 5:47 PM Page 456 Securing Your Wireless Web • Chapter 10 457 systems it is best to use a common CA so that organizations can easily grant access to one another’s users.The decision of whether to use a commercial CA or become a CA is not only a question of technology but also a function of company size and organizational goals.There is also a political component for mobile com- merce since there are a growing number of a laws related to digital signatures. Certificate Management Framework PKI technology vendors provide tools for the creation, management and deploy- ment of certificates. Certificate management is the process of choosing or becoming a certificate authority, of creating and securely deploying certificates, of keeping them in escrow in case they are lost or destroyed, and of controlling their expiration and renewal. Since certificates expire, there must be a straightforward way of replacing certificates that are deployed on mobile devices. Certificate Deployment PKI deployment involves server-side integration, mobile device or browser selec- tion, certificate creation, and client-side certificate deployment. PKI solutions require users, IT administrators, or both to create and install or renew client-side certificates.The certificate deployment process can be problematic for mobile devices because they are typically in the hands of users who are dispersed within and outside the organization. Certificate deployment must be done securely: if a user’s certificate is intercepted, it could grant unauthorized access to an intruder. Practical Limits of PKI Technology The largest problem with deploying a PKI is the lack of standards; it is not pos- sible to deploy a PKI technology on the server side and accommodate the devices that users already have to allow users much choice of devices. For prac- tical reasons, the lack of standards also limits geographical coverage. For example, a PKI may be deployed in a specific c-HTML browser on a wireless PDA plat- form such as Palm OS in North America, but wireless connectivity for the device may not be available in Europe.Another example would be if a specific model of phone implementing current WAP security standards were issued to mobile workers. Users traveling to Asia cannot use these devices, and the available Asian devices (such as NTT DoCoMo i-mode phones) do not use WAP. In many com- panies it is not practical to standardize mobile devices throughout the organiza- tion.To avoid replacing or standardizing on a single wireless phone, the best approach may be to deploy a PKI in conjunction with PDAs, particularly where www.syngress.com 159_wg_wi_10 10/22/01 5:47 PM Page 457 458 Chapter 10 • Securing Your Wireless Web this reduces the need for notebook computers since reduced cost is a key reason for using both PDAs and wireless access. Using PDAs with PKI Security The most powerful handheld mobile devices with the most capacity, flexibility, and readily available security technologies are PDAs. PDAs also support installable software and have the ability to synchronize with desktop PCs. In situations where wireless PDA users sync their PDAs to desktop workstations, administra- tors have some control over what software is installed, and have the ability to update that software.These managers should specifically ensure that wireless browsers are kept up-to-date. If a management solution such as Microsoft’s System Management Server is in place, this can be used to exert centralized con- trol of PDAs by indirectly manipulating PDA configurations.Although PDAs are more involved than phones, using wireless PDAs is the most manageable solution because wireless browsers with digital certificate support are already available, and the software on a PDA such as a Palm Pilot or PocketPC can be easily upgraded. PDAs with expansion slots, such as the Handspring Springboard slot or Pocket PC Card adapter can accommodate more than one type of wireless modem, so PDAs can be configured to go to wherever users travel as long as there is a wire- less network to provide data access. In the future, the problems of PKI security will be eased by the introduction of new networks such as General Packet Radio Service (GPRS) and new mobile phones with either with built-in digital certifi- cate support or flexible software configurations similar to today’s PDAs. The Future of Security on the Wireless Web The future of wireless security lies in its convergence with Internet and Web security. For example, a future PDA with a direct IP connection and HTML browser supporting SSL need not pass through a WAP gateway. In the interim there will be further standardization on wireless browsers, and hopefully a single dominant PKI standard. More to the point, there should be a standard means of installing digital certificates and of managing wireless PKIs from an IT perspec- tive. Mobile devices have a long way to go before corporate IT personnel and wireless Webmasters will find them configurable and manageable. The Internet and telecommunications marketplaces will continue to converge in the wireless Web, but this will be driven more by enterprise applications than www.syngress.com 159_wg_wi_10 10/22/01 5:47 PM Page 458 Securing Your Wireless Web • Chapter 10 459 by Web content. Mobile operators and device manufacturers will continue to evolve their alliances with systems integrators and wireless software companies, pursuing enterprise business directly with solutions based on their selected devices and wireless network and security infrastructures, although this does not solve the problem of global security standards. For a global solution there are two options.The first, which is currently available, is a sophisticated software solution that eliminates the complexities of disparate devices, networks and standards but does not solve the problem of creating a globally viable PKI.The second is to wait for 2.5G and 3G networks and devices. PDAs are generally a better overall solution for corporate users, though not the lowest in cost. In North America, however, there is limited coverage for wire- less PDAs. It remains to be seen how these solutions will fare against the coming 2.5G and 3G networks and devices. In the meantime, PDAs are morphing into miniature Web pads.The adoption of PDAs, particularly in the corporate IT sector, will continue alongside that of wireless phones over the next few years. www.syngress.com 159_wg_wi_10 10/22/01 5:47 PM Page 459 460 Chapter 10 • Securing Your Wireless Web Summary The adoption of wireless technologies and applications is driven significantly by the exchange of information and financial transactions that must be secure. Wireless promises to extend corporate data, applications, and the Web to mobile devices. without security that promise is rendered hollow, but security on the wireless Web is far from simple. Unlike the Internet, the wireless Web is a patch- work of different and incompatible standards.There are two basic approaches to security on the wireless Web: point-to-point and end-to-end. Point-to-point security provides the widest choice of mobile devices and browsers, and is the only way to achieve a truly global solution. End-to-end security is synonymous with PKI security technologies, and while PKIs are clearly the better approach, there are many barriers to successful deployment, not the least of which is that using a PKI severely limits the devices that can be deployed.The fundamentals or security technologies (private or secret key and public key encryption) are iden- tical on both the conventional and wireless Web, but there are several problematic areas in wireless Web security. Most of these problems can be managed with varying degrees of assurance with respect to minimizing risks through careful analysis, planning, and management of the wireless solution; and by balancing security requirements with the need for flexibility in mobile device, browser, and network support. In the future, many of the current limitations in wireless Web security will be resolved. However, It remains to be seen if, or to what extent, the adoption of wireless and the introduction of faster networks and more powerful devices will outrun the maturation of wireless security technologies, while wire- less and Internet security standards and technologies simultaneously converge. For ordinary Web content and applications like e-mail that enjoy limited security over the Internet, point-to-point security and WTLS Class I are clearly adequate solutions. For financial applications and sensitive corporate information, the enforcement of SSL on Web servers and applications is a necessary step that must be taken today. Newer implementations of WTLS will improve security in this case.A PKI solution is necessary for highly secure applications,, and the best way to secure your organization’s wireless communications via a PKI solution is to use PDAs rather than mobile phones. Many of the issues that are seen as chal- lenging today will be resolved when 2.5G and 3G networks replace the current wireless infrastructure on a large scale. 3G networks and the devices that will run on them will provide better and more manageable security because they will sup- port end-to-end SSL and installable software through technologies such as J2ME. www.syngress.com 159_wg_wi_10 10/22/01 5:47 PM Page 460 Securing Your Wireless Web • Chapter 10 461 Solutions Fast Track Comparing Internet and Wireless Security ; Security on the Web is less complex than security on the wireless Web because the Web represents a single paradigm both for application devel- opment and for security. ; The Internet and the Web provide a somewhat coherent model for applications and security with a handful of ubiquitous standards. On the wireless Web there are many networks using different standards, multiple browser protocols, and several wireless markup languages. Security Challenges of the Wireless Web ; Unlike Secure Sockets Layer (SSL) and the x.509 standard for Public Key Infrastructures (PKIs) on the Internet today, there is no single stan- dard for wireless digital certificates or wireless browser plug-ins. ; The relatively weak encryption provided by wireless security technolo- gies such as the Wireless Transport Layer Security (WTLS) protocol and lightweight wireless PKIs is directly related to the length of the keys used and the sophistication of the encryption algorithms.These in turn are a function of device capacity, processing power, and wireless network bandwidth. ; User awareness and insecure devices pose a large challenge to the wire- less Webmaster. Password protection, encryption programs, and device configuration control are the keys to minimizing the risks when devices are lost or stolen. ; Wireless Application Service Providers (WASPs) reduce customer infra- structure investment but require customers to trust their data to a network outside their control. ; Along with the spread of new technologies comes the potential for new viruses, but the same diversity of wireless devices, browsers and standards that hampers security can also hamper the spread of viruses and worms. ; Once you’ve determined what you’re going to make available wirelessly and how secure it needs to be, you can determine what steps you need www.syngress.com 159_wg_wi_10 10/22/01 5:47 PM Page 461 . page .To link the two forms, use the <Mobile:Link> control .The navigateURL attribute contains the ID of the form to link to. Note that the ID is preceded by a number character (#). Linking to. %> www.syngress.com Once the component is downloaded, copy the component into the directory that contains the Embedded Visual Toolkit 3.0 (for example, C:Windows CE Toolswce300MS Pocket PCemulationpalm300windows). After. verify that the value is actually the ID of Form three. If it is, we then set the current active form to be Form three using the ActiveForm property .The ActiveForm property sets and returns the page