mailing list archives
Re: Phone based VPN access
From: norml () trustdigital com
Date: 13 Jan 2006 15:51:18 -0000
It may not seem obvious, but the threat to an enterprise from data capable mobile devices is very high today. Here's
1) Lots of valuable data: Mobile devices are carrying more and more enterprise data every day. In the past, products
like GoodLink, Intellisync, and BES made over-the-air sync easy but now Microsoft gives it to you for free with
Exchange ActiveSync. It's easier than ever for users to get their corporate email, calendar, contacts, and other data
on their phones, and in many cases it doesn't take any administrator action to make it happen - completely user
provisioned. Add the capabilities of desktop sync and USB storage in the mix and you've got a situation where a lot of
sensitive corporate data is walking in and out of your front doors on mobile devices every day.
2) Very vulnerable platform: The mobile devices in use today have very poor native security built-in. A power-on
password and maybe a remote kill pill are about all you can expect from most manufacturers and sync vendors. On top of
that, most of the mobile operating systems have no notion of multiple security levels, administrative access, file
access permissions, or any of the things we've become used to in desktop OS's. On top of all THAT, these things are
designed from the ground up to make communications easy - just think about the malicious routing and gateway threats
from a device that can be connected to WiFi, GPRS/EDGE/EVDO, Bluetooth, IR, and USB connections all at the same time.
And you spent how much money on your corporate firewall? :)
3) Easy-to-lose form factor: They're small, they fit right in your pocket, and get left in airports, taxi cabs, and
hotel rooms a great deal more than laptops do.
4) "Mixed-use" makes enforcement difficult: A good percentage of these devices are now "mixed use", meaning the user
owns it and splits its use between personal and business. When the enterprise doesn't own the asset, the security
rules become a little different. You have to be able to deal with things like users installing their own software,
enforcing data access rules between applications, etc.
5) They are unavoidable. These devices, and the mobile access to data that they provide, are essential to the way we
do business and are unavoidable from a security standpoint. People need them, so we need to figure out how to secure
So, having established that mobile devices present a significant risk it should be obvious that adding VPN connectivity
to those devices only makes the problem worse. Adding a secure tunnel into the center of your corporate network from
an insecure endpoint is a huge risk.
So, what do we do about it:
This is all about endpoint security - just like it was with laptops establishing VPN's to the enterprise 10 years ago.
The main enterprise security problem with today's mobile devices is that the built-in security sucks. Until you can
establish and verify solid endpoint security, you can't allow them to VPN in to your network. The only way to make
secure use of mobile devices in an enterprise is to put in place a security solution that is device independent,
network and sync independent, and carrier independent and provides the following security features on the devices:
- Strong authentication
- Compliance checking and reporting
- Resource control (camera, Bluetooth, IR, other interfaces)
- Application control (what apps can do, what data they can access, etc)
- Network security (vpn, firewall, etc)
- Transparent (or as transparent as possible) to users
- Simple provisioning
- Centralized, policy based, control of all mobile devices
Once you have these things available to you as a security administrator on mobile devices, you can begin to trust them
at the same level as you trust your other mobile devices (laptops). As far as known exploits go, there are several -
and the list is expanding every week. It's only a matter of time until the majority of the bad guys figure out that
the most efficient way to get malicious code into your protected enterprise is via a mobile device. Think about it -
your corporate firewall, IDS, IPS, anti-virus, and various other fancy acronym devices and solutions wouldn't see
malicious code injected into your network from a smart phone syncing to a laptop via USB. Most likely the same for
malicious code syncing over-the-air directly to your exchange server. You could easily contract a mobile virus via
Bluetooth in Starbucks and immediately route it into the heart of your enterprise via your over-the-air sync mechanism.
It's a big security issue, so be careful with your use of mobile devices in the enterprise. They can be implemented
both efficiently AND securely if you do things right, and the users will be happy and the executives will love you. Do
it the wrong way, and, well, I guess there are a lot of security jobs out there.
Hope that helps,
Trust Digital, Inc.
EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The Norwich University program offers unparalleled Infosec management
education and the case study affords you unmatched consulting experience.
Tailor your education to your own professional goals with degree
customizations including Emergency Management, Business Continuity Planning,
Computer Emergency Response Teams, and Digital Investigations.