Mobile security: Asserting control over mobile devices

Experts all recommend having mobile security policies, but a policy is worthless without the technology and processes to back it up. Managers and architects responsible for planning mobile deployment need to understand the nuts and bolts of delivering access when device types and connectivity options are many. In this expert lesson, you'll find in-depth discussion of the various methods and tools required to authenticate, control, and secure enterprise network access by mobile endpoints, from laptops to smartphones.

  Asserting control over mobile devices
  Authorizing mobile device network access
  Securing mobile network communication

Asserting control over mobile devices by Lisa Phifer

Mobile devices used by employees for business without IT oversight can expose employers to unacceptable risk. From sloppy configuration to dangerous connections, many unmanaged devices -- and the business assets they contain -- are ripe for attack. In this section, we explain how to reassert IT control by automatically discovering and provisioning those mobile laptops, PDAs and smartphones.

Avenues of attack -- and control

In years past, mobile devices touched corporate networks through a relatively small number of interfaces. Laptops gained entry through a handful of VPN concentrators, while PDAs synchronized with individual desktops. But today, high-speed wireless has turned those tightly defined network perimeters into hard-to-manage Swiss cheese.

Most mobile devices now have multiple connections -- Ethernet and Wi-Fi are standard on laptops, Bluetooth and 3G are standard on smartphones, and some mobile devices have all four. Corporate network entry points have also grown more diverse, with off-site users arriving through a variety of application portals and on-site users connecting via Wi-Fi access points and Bluetooth-enabled desktops.

The bad news: Each of these network connections and entry points represents a potential vector for attack. The good news: Those points also represent opportunities to detect unmanaged or non-compliant mobile devices, giving you a chance to assert IT control.

Detecting mobile devices

Company-purchased laptops and handhelds can be registered at time of issue, but employee-purchased devices can fly under the radar until they visit your office or try to connect to a corporate resource. Establishing a complete mobile inventory over which you have control therefore requires device discovery.

Mobile devices come and go. A given device may connect through multiple entry points throughout the day, while a single person may use multiple devices simultaneously. To discover all of those devices, you cannot simply rely upon conventional wired network tools. Instead, you must complement your existing network port scanners and LAN managers with new wireless scanners, endpoint security managers and remote access platforms, and/or mobile device managers.

Wireless scanners can detect on-site devices with active Bluetooth or Wi-Fi interfaces even before they try to connect to corporate resources. Bluetooth scanners use Discovery protocols to find nearby devices that advertise supported Bluetooth services. Wi-Fi "stumblers" use 802.11 beacons and/or probes to find Access Points and Ad Hoc (peer-to-peer) nodes. But those periodic scans will overlook the vast majority of mobile devices that are not on site full-time. Instead, a more effective way to discover transient Wi-Fi clients is to use a full-time Wireless Intrusion Prevention System (WIPS). Alternatively, your WLAN switch may provide continuous "rogue detection" that can alert you to the presence of not just unknown APs but also unknown Wi-Fi clients.

Endpoint security managers can try to detect hosts connected to a corporate network, as a precursor to performing a security assessment or configuring endpoint security measures. These systems may help detect mobile devices in several ways. First, a mobile laptop directly connected to a corporate (wired or wireless) LAN can be discovered in the usual manner. Second, some endpoint assessment programs can scan a desktop's registry, processes and ports for telltale signs of mobile device use, such as active synchronization and email redirection programs. Third, some endpoint security managers interact with endpoint agent programs that continuously watch for unauthorized activity, perhaps intercepting mobile/desktop synchronization and acting as a conduit for registration and provisioning.

Remote access gateways and application portals can detect off-site mobile devices that use corporate mail and other business applications, even if those devices never visit the office. For example, VPN gateways can be configured to provide access to known/registered users only. To discover unknown mobile devices, however, they must also be able to differentiate between an authenticated person using a registered device and that same person accessing the network from any other device. Consider these needs when choosing remote-access authentication methods, and look for opportunities to leverage proprietary gateway/portal endpoint assessment features and emerging network access control (NAC) capabilities.

Mobile device managers distribute software and configurations to registered laptops, PDAs and/or smartphones.

Pocast: The truth about network security and mobile device access In this 10 minute podcast Lisa Phifer and Kate Dostart engage in some 'Fact or Fiction' to dispel some common misconceptions about network access, authentication, control, and over-the-air security for mobile laptops, PDAs, and smartphones.

An MDM can play a critical role in asserting IT control over mobile devices, but some MDMs can also help you to discover mobile devices and then kick off automated registration and provisioning processes.

Bringing them into the fold

By documenting all discovered devices, you can assess the size and scope of the problem without disrupting business activities. Once you have a good handle on the risk posed by unmanaged mobile devices, you can take appropriate action.

You may decide to ban business use of unmanaged mobiles by blocking corporate resource access and instituting a manual process for administrator-provisioning of approved devices. Or you could explicitly permit them, using automated self-enrollment to register and provision newly discovered mobile devices. Small businesses may find manual provisioning workable, but those with large distributed workforces will save time and money by investing in mobile device management.

MDMs provide a centralized method of tracking and controlling mobile devices. Templates are often used to define the hardware, software and configurations that apply to each workgroup or device type. When a device is first discovered, they can be provisioned with the appropriate software and configurations. When patches are issued or security policies are revised, the same mechanism can be used to apply those changes. For wireless mobile devices, secure over-the-air management is clearly desirable.

Of course, asserting IT control over mobile devices is an ongoing task. Over time, even correctly provisioned devices may be reconfigured or become corrupted. Some MDMs can audit mobile devices to detect those unexpected changes. They may even enforce policies by restoring devices to an earlier backup or freshly provisioned state.

Read this SearchMobileComputing.com articled to learn more about mobile device management and key capabilities. Whether you invest in an MDM or configure a small pool of devices one by one, asserting IT control over those unmanaged laptops, PDAs and smartphones can help your company avoid making headlines the hard way.

Authorizing mobile device network access by Lisa Phifer

When mobile devices connect to business networks, user and endpoint authentication play critical roles in preventing misuse, abuse and attack. In this tip, we identify mobile authentication methods and discuss how to leverage authenticated identities to control what mobile laptops, PDAs and smartphones can and cannot do inside your network.

Who goes there?

Authentication verifies that users or systems are who they claim to be, based on identity (e.g., username) and credentials (e.g., password). Most highly publicized breaches are attributed to weak or absent authentication -- from unlocked laptops to wireless networks with cracked passwords. Many expensive and embarrassing incidents could be avoided by requiring robust authentication to mobile devices and the networks they use.

Mobile devices are easily lost or stolen, requiring protection against unauthorized access to their data, applications and connectivity. However, mobile users require frequent access for brief periods, making repeated password entry inconvenient. While most mobile laptops are set to require logins, the majority of PDAs and smartphones are not. Mobile passwords are widely available but rarely used unless employers enforce them.

Authenticating identity

When planning your mobile authentication strategy, strive to combine strength and enforceability with usability. Consider both device and network access credentials and how well each method can satisfy your platform, security and user requirements.

Passwords: If office desktops log into your Windows domain, you'll be tempted to reuse those passwords for users who connect from laptops and PDAs. Because simple passwords are easily guessed, you might enforce length, complexity and timeout rules. But this can make a handheld device very hard to use. If you choose passwords, combine them with policies that cater to mobile needs -- for example, let users receive calls and appointment notifications without password entry and provide a mobile password recovery process.

Non-text passwords: Entering text on a mobile can be awkward. Alternatives can require the user to tap symbols within a randomly generated matrix or a sequence of points on a photo. Unlocking a device this way could also decrypt other credentials stored on that handheld so the authenticated user can access his company's network. Symbols are handy on PDAs and tablets without keyboards but are not suitable for devices without a mouse or touch-screen.

Certificates: Digital certificates bind an identity to a public/private key pair and are considerably stronger than passwords, so long as the owner's private key is protected. Combining a device lock with certificate-based network authentication is increasingly common -- for example, a Wi-Fi laptop that is unlocked with a password and then uses a certificate on that device for WPA-Enterprise authentication. This method requires a public key infrastructure (PKI) to request, issue, distribute and revoke certificates, but that investment will provide a very strong foundation for access control.

Smart cards: Certificates can also be used to unlock a device, but doing so requires a way to store and "enter" the owner's private key. This is essentially what a smart card does. A smart card is a security chip, embedded in a credit card, badge or MMC/SD memory. That chip provides safe storage for cryptographic keys used by authentication and encryption algorithms. For example, a laptop may be unlocked by inserting an employee's badge into the laptop's card reader. When that employee launches a VPN tunnel or Wi-Fi connection, a certificate on the smart card can be automatically used for network authentication.

Handset identity modules: Smart card-like methods have long been used for cellular network authentication. GSM handsets and data cards contain subscriber identity module (SIM) cards. 3G mobile devices authenticate themselves with universal services identity modules (USIMs), CSIMs (CDMA subscriber identity modules) or removable user identity modules (RUIMs). These identity modules can be leveraged during enterprise network authentication, either alone or in conjunction with user authentication.

Hardware tokens: Many companies authenticate laptop users with small physical devices (hardware tokens) that generate one-time passwords. Each password is part of a series generated from a cryptographic seed known to the network and the user and is valid for only about a minute. The user typically enters his text password, followed by the string displayed by his token. This approach avoids crackers and keyloggers, since passwords are not reused. Furthermore, hardware tokens (and other physical methods like smart cards) prevent password sharing. However, they also incur per-user cost for hardware purchase, distribution and replacement.

Biometrics: Like tokens and smart cards, biometrics are typically used for multi-factor authentication. Multi-factor authentication combines at least two of the following: something you know (e.g., password), something you have (e.g., token) and something you are (e.g., fingerprint). Biometric authentication covers everything in that last category: fingerprints, voiceprints, iris scans, handwritten signatures, and so on. Enterprises have resisted biometrics because of cost, but some new business laptops and PDAs include fingerprint readers, and security programs can easily leverage standard handheld features to accept voice input. Biometrics are very convenient on frequently used mobile devices, but environment (e.g., dirt, noise) must also be considered.

Proximity: A few mobile security products have started to support proximity-based authentication. For example, a PDA or smartphone may stay unlocked indefinitely while communicating with the user's Bluetooth headset. RFID tag readers are being used for proximity-based authentication, permitting connections with mobile devices that pass through a checkpoint and denying connections outside that area. Proximity authentication is not yet common but has the potential to provide more transparent mobile authentication in the future.

Using identity to control access

Many network access controls rely on unauthenticated identities such as MAC and IP addresses that are vulnerable to spoofing. But when a mobile user and/or device has been authenticated, that identity can be safely used to control network access by mobile laptops, PDAs and smartphones.

• If mobile devices connect through on-site Wi-Fi, authentication occurs after association, before getting an IP address. WPA-Personal only supports passwords (PSKs), but WPA-Enterprise supports most authentication methods described in this tip. You must choose an Extensible Authentication Protocol (EAP) type that is compatible with your authentication method and integrate your WLAN infrastructure with your authentication server. Wi-Fi access is binary -- a device is either accepted or rejected. You can map authenticated Wi-Fi devices onto VLANs, however, for more granular access control.

• When mobile devices connect over an IPsec, SSL or Mobile VPN, authentication occurs during tunnel establishment, before routing data through the VPN gateway. Standard IPsec authentication is limited to passwords (pre-shared keys) or certificates, but vendor extensions usually support additional methods like tokens. Small businesses can configure users into the VPN gateway itself, but most enterprises integrate VPNs with external authentication servers (e.g., Active Directory, ACE Server). Attributes returned by that server are often used by the VPN gateway to control which network resources an authenticated user can reach.

• If devices connect through an application gateway like a Web portal or mobile server, authentication occurs during session establishment. How authentication works and methods that can be used depend on the gateway. For example, the BlackBerry Enterprise Server can authenticate mobile devices with passwords or smart cards. Authenticated users typically gain access only to selected resources within the target application/server.

Clearly, there are many ways that mobile devices can connect to your network -- see our next section on securing mobile network communication . But all of those ways depend upon determining the identity of the person and/or device at the far end of the connection. Selecting authentication methods for your workforce will have a major impact on mobile device usability and corporate network security. For best results, consider all of your options, conduct field trials, assess vulnerabilities, and obtain user feedback before settling on a mobile authentication strategy.

Securing mobile network communication by Lisa Phifer

Mobile devices used to access corporate networks send business data over a wide variety of links. From 3G wireless to WiMAX, hotel broadband to Wi-Fi hot spot, every public network interface poses some business risk. In this tip, we explain how to encrypt mobile laptop, PDA and smartphone transactions using tools that can enforce the same over-the-air security, independent of device or network type.

Falling short

Some mobile networks incorporate link security -- for example, 3G encrypts all messages between handsets or data cards and a carrier's base station. But each wireless network may be different, and end-to-end protection is left to the user. Businesses therefore cannot rely on link encryption to consistently and fully address mobile security needs.

Some businesses use point solutions to secure mobile communication end-to-end. For example, many enterprises utilize the native encryption found in BlackBerry handhelds. Such solutions can be an expedient way to secure part of your workforce, but they cannot be extended to cover all mobile devices and may not fully support your security policy.

Filling gaps

Fortunately, many options exist for securing mobile network communication, independent of device type or access method.

IPsec VPNs: IPsec tunnels are a proven, robust method for ensuring the confidentiality and integrity of all private IP packets exchanged over any public network between a mobile device and a corporate network VPN gateway. Today, most laptop and handheld operating systems include an embedded IPsec VPN client, and roughly two out of three enterprises have at least one IPsec VPN gateway. However, IPsec clients can be expensive to administer -- particularly for large workforces that carry a broad mix of devices. IPsec can also be disruptive for mobile users that roam frequently from one network (and public IP address) to another. For these and other reasons, IPsec is most often used on IT-managed laptops that remain stationary during communication.

SSL VPNs: SSL has a long history of reliably protecting e-commerce transactions between Web browsers and servers. SSL VPN gateways use this same protocol to secure corporate network communication by any device equipped with a Web browser. This approach became popular by avoiding VPN client software, using dynamically downloaded Java or ActiveX to deliver business application access via Web-based GUIs. However, more complex applications cause client-side dependencies -- from requiring administrative rights on the device to actually installing client-side executables. Today, SSL VPNs secure network communication with many kinds of mobile devices, including unmanaged PCs, PDAs and smartphones, but the applications supported on handhelds are often limited by OS and screen size.

Mobile VPNs: Some VPN products are explicitly designed to overcome inter-network roaming disruption. These "Mobile VPNs" can employ a variety of protocols, ranging from proprietary UDP to Mobile IP. All use persistent encrypted tunnels to deliver traffic to a given mobile device, independent of its physical location and network connectivity. Some Mobile VPNs can actually hold messages destined for a mobile that travels beyond wireless coverage or falls asleep, delivering them when communication resumes. Mobile VPNs offer clear advantages for workers who must communicate continuously, without disruption, while roaming between 3G/4G networks and Wi-Fi hot spots. This kind of functionality requires installed client software, however, so it is critical to select a product that can support all device operating systems used by your mobile workforce.

Secure applications: VPNs encrypt application messages in a generic fashion, but what if you only care about encrypting email or keyboard/mouse/screen interaction with a remote system? Some companies prefer to use mobile applications that have their own built-in message encryption. In the short run, a secure application can often deliver device and network-independent coverage without the cost and complexity of a VPN. But in the long run, securing a large number of mobile applications independently can grow costly and make it hard to enforce consistent policies.

In diverse workforces, it can be difficult to satisfy every mobile user's needs with one type of secure network communication. For example, some companies deploy a single SSL VPN gateway but vary client access based on device, user and associated risk. Mobile users with IT-administered laptops may be given broader access, while those with unmanaged laptops or less capable smartphones may be restricted to email. If a single access platform simply cannot do the trick, try to avoid narrow device or network-specific platforms and consolidate control by using the same policies and credentials.

Completing the picture

Secure mobile communication methods can protect business traffic from eavesdropping, forgery and replay, independent of the network(s) used. However, complementary measures are needed to harden mobile devices against network-borne attack, endpoint compromise, and user error.

• VPN and secure application gateways are designed to let authorized users in and keep everyone else out -- and that depends on authentication. See our section on authorizing mobile device network access.
• All secure mobile communication methods are based on policies that must be carefully defined, universally deployed, and consistently enforced. See our section on asserting control over mobile devices.
• Mobile devices that connect via public networks must be protected against unsolicited traffic from unknown and possibly malicious devices. Deploy host firewall and intrusion-prevention programs to block non-VPN/secure application messages, both inbound and outbound.
• Some mobile access methods are LAN technologies that broadcast packets to strangers on the same public network, including DHCP requests, NetBIOS/SMB broadcasts, SSDP discovery messages, and IGMP multicasts. Configure mobile devices and interfaces to eliminate protocols that are inappropriate in public networks.
• Many users bypass secure mobile communication methods, either accidentally or intentionally. Consider using centrally configured policies to stop users from disabling VPNs or reconfiguring applications to send cleartext to destinations outside the corporate network.
• When any type of network tunnel is established, opportunity exists for an infected device to enable "backdoor" access to the corporate network. Use antivirus/spyware to mitigate this risk, either on the device itself or at the point of entry into the corporate network.
• Letting mobile users access your network is step 1. Monitoring how they use the network and its resources is step 2. Leverage your network infrastructure to restrict mobile users to the resources they should reach, and use network logging, analysis and reporting tools to audit usage.

Finally, seek out opportunities to leverage control and reporting capabilities offered by your network access providers. For example, if you purchase wireless transport from a carrier or roaming access broker, you probably use a connection manager. Many connection managers can dovetail with secure mobile communication methods by launching VPN tunnels or applications at connect time and checking for running security processes. Such tools can help you ensure that all the necessary components are in place before any business data can be transmitted.

About the author: Lisa Phifer is vice president of Core Competence Inc., a consulting firm specializing in network security and management technology. Phifer has been involved in the design, implementation, and evaluation of data communications, internetworking, security, and network management products for nearly 20 years. She teaches about wireless LANs and virtual private networking at industry conferences and has written extensively about network infrastructure and security technologies for numerous publications. She is also a site expert to SearchMobileComputing.com and SearchNetworking.com.