SearchMobileComputing.

com
Establishing secure mobile communication
Dont miss all of the installments in this series on mobile device security:

Mobile device security policies: Asserting control over mobile devices
Managing mobile authentication methods
Establishing secure mobile communication

Mobile devices used to access corporate networks send business data over a wide variety of
links. From 3G wireless to WiMAX, hotel broadband to Wi-Fi hot spot, every public
network interface poses some business risk. In this tip, we explain how to set up secure
mobile communication, including how to encrypt mobile laptop, PDA and smartphone
transactions using tools that can enforce the same over-the-air security, independent of
device or network type.
Falling short with mobile communication security
Some mobile networks incorporate link security -- for example, 3G encrypts all messages
between handsets or data cards and a carriers base station. But each wireless network may
be different, and end-to-end protection is left to the user. Businesses therefore cannot rely on
link encryption to consistently and fully address mobile security needs.
Some businesses use point solutions to secure mobile communication end-to-end. For
example, many enterprises utilize the native encryption found in BlackBerry handhelds.
Such solutions can be an expedient way to secure part of your workforce, but they cannot be
extended to cover all mobile devices and may not fully support your security policy.
Filling gaps in mobile network communication
Fortunately, many options exist for securing mobile network communication, independent
of device type or access method.
IPsec VPNs: IPsec tunnels are a proven, robust method for ensuring the condentiality and
integrity of all private IP packets exchanged over any public network between a mobile
device and a corporate network VPN gateway. Today, most laptop and handheld operating
systems include an embedded IPsec VPN client, and roughly two out of three enterprises
have at least one IPsec VPN gateway. However, IPsec clients can be expensive to administer
-- particularly for large workforces that carry a broad mix of devices. IPsec can also be
disruptive for mobile users that roam frequently from one network (and public IP address) to
another. For these and other reasons, IPsec is most often used on IT-managed laptops that
remain stationary during communication.
SSL VPNs: SSL has a long history of reliably protecting e-commerce transactions between
Web browsers and servers. SSL VPN gateways use this same protocol to secure corporate
network communication by any device equipped with a Web browser. This approach
became popular by avoiding VPN client software, using dynamically downloaded Java or
ActiveX to deliver business application access via Web-based GUIs. However, more
complex applications cause client-side dependencies -- from requiring administrative rights
on the device to actually installing client-side executables. Today, SSL VPNs secure
network communication with many kinds of mobile devices, including unmanaged PCs,
PDAs and smartphones, but the applications supported on handhelds are often limited by OS
and screen size.
Mobile VPNs: Some VPN products are explicitly designed to overcome inter-network
roaming disruption. These Mobile VPNs can employ a variety of protocols, ranging from
proprietary UDP to Mobile IP. All use persistent encrypted tunnels to deliver trafc to a
given mobile device, independent of its physical location and network connectivity. Some
Mobile VPNs can actually hold messages destined for a mobile that travels beyond wireless
coverage or falls asleep, delivering them when communication resumes. Mobile VPNs offer
clear advantages for workers who must communicate continuously, without disruption,
while roaming between 3G/4G networks and Wi-Fi hot spots. This kind of functionality
requires installed client software, however, so it is critical to select a product that can
support all device operating systems used by your mobile workforce.
Secure applications: VPNs encrypt application messages in a generic fashion, but what if
you only care about encrypting email or keyboard/mouse/screen interaction with a remote
system? Some companies prefer to use mobile applications that have their own built-in
message encryption. In the short run, a secure application can often deliver device and
network-independent coverage without the cost and complexity of a VPN. But in the long
run, securing a large number of mobile applications independently can grow costly and
make it hard to enforce consistent policies.
In diverse workforces, it can be difcult to satisfy every mobile users needs with one type
of secure network communication. For example, some companies deploy a single SSL VPN
gateway but vary client access based on device, user and associated risk. Mobile users with
IT-administered laptops may be given broader access, while those with unmanaged laptops
or less capable smartphones may be restricted to email. If a single access platform simply
cannot do the trick, try to avoid narrow device or network-specic platforms and consolidate
control by using the same policies and credentials.
Completing the picture with secure mobile communication
Secure mobile communication methods can protect business trafc from eavesdropping,
forgery and replay, independent of the network(s) used. However, complementary measures
are needed to harden mobile devices against network-borne attack, endpoint compromise,
and user error.
VPN and secure application gateways are designed to let authorized users in and keep
everyone else out -- and that depends on authentication. See our section on
authorizing mobile device network access.
All secure mobile communication methods are based on policies that must be
carefully dened, universally deployed, and consistently enforced. See our section on
asserting control over mobile devices.
Mobile devices that connect via public networks must be protected against unsolicited
trafc from unknown and possibly malicious devices. Deploy host rewall and
intrusion-prevention programs to block non-VPN/secure application messages, both
inbound and outbound.
Some mobile access methods are LAN technologies that broadcast packets to
strangers on the same public network, including DHCP requests, NetBIOS/SMB
broadcasts, SSDP discovery messages, and IGMP multicasts. Congure mobile
devices and interfaces to eliminate protocols that are inappropriate in public networks.
Many users bypass secure mobile communication methods, either accidentally or
intentionally. Consider using centrally congured policies to stop users from disabling
VPNs or reconguring applications to send cleartext to destinations outside the
corporate network.
When any type of network tunnel is established, opportunity exists for an infected
device to enable backdoor access to the corporate network. Use antivirus/spyware
to mitigate this risk, either on the device itself or at the point of entry into the
corporate network.
Letting mobile users access your network is step 1. Monitoring how they use the
network and its resources is step 2. Leverage your network infrastructure to restrict
mobile users to the resources they should reach, and use network logging, analysis
and reporting tools to audit usage.
Finally, seek out opportunities to leverage control and reporting capabilities offered by your
network access providers. For example, if you purchase wireless transport from a carrier or
roaming access broker, you probably use a connection manager. Many connection managers
can dovetail with secure mobile communication methods by launching VPN tunnels or
applications at connect time and checking for running security processes. Such tools can
help you ensure that all the necessary components are in place before any business data can
be transmitted.
About the author: Lisa Phifer is vice president of Core Competence Inc., a consulting rm
specializing in network security and management technology. Phifer has been involved in
the design, implementation, and evaluation of data communications, internetworking,
security, and network management products for nearly 20 years. She teaches about wireless
LANs and virtual private networking at industry conferences and has written extensively
about network infrastructure and security technologies for numerous publications. She is
also a site expert to SearchMobileComputing.com and SearchNetworking.com.
All Rights Reserved,Copyright 2003 - 2010, TechTarget | Read our Privacy Statement