Company name: Bluefire Security Technologies
Price: From $15,000 for 50 users
Agent platform: Pocket PC 2002 on Dell Axim, Toshiba e740, HP iPAQs
Windows 2000 Server or AS with SQL Server 2000
Bottom line: Solid centralized Pocket PC and smartphone protection for large enterprises and carriers
In a nutshell: Extends common desktop security best practices like authentication, encryption, intrusion detection and firewall to 802.11, GRPS, CDMA-enabled PDAs.
- Server-based architecture enables central security policy control and monitoring
- PDA agent software is unobtrusive, requires no end-user configuration
- Withstood lab-generated attacks without failure, reported clearly in charts/graphs
- Limited set of Pocket PCs supported today; Smartphones just announced
- Requiring Win2000 Broker for ActiveSync adds indirection, delay
- No ability to audit PDAs to verify policy activation
Today, many workers use personal PDAs for business, risking corporate data, passwords and Intranet compromise after loss or theft. PDAs are becoming more robust, but few users password-lock PDAs, much less secure them like a laptop. As PDA use grows, IT departments have an increasingly difficult time ignoring this threat. By implementing centrally-managed authentication, encryption, integrity, and firewall policies, Bluefire Mobile Firewall Plus helps bring Pocket PCs under IT control.
Deploying Bluefire is not like installing a ZoneAlarm or McAfee personal firewall. As the price suggests, Bluefire is an enterprise solution. Group, user and device-level policies are administered through an Enterprise Manager Win2000 Server. When deployed, security "packages" are made available to Bluefire brokers -- Win2000 PCs that use ActiveSync to download rules and upload logs from PDAs. Bluefire Agents on each PDA enforce rules -- for example, requiring an access password, preventing system file modification and blocking unauthorized packets.
From the user's perspective, Bluefire is simple. Just pick one of four security levels, from Trust No One to Trust All. Events are recorded in a log, visible to the user and uploaded to the Broker during synchronization. There's nothing to configure except turning notification off. I'd rather set this by severity because informational events can be frequent. In fact, users should not even notice Bluefire until a high-severity event. For example, if Bluefire's Integrity Monitor sees a sensitive file change (i.e., possible virus, trojan), it quarantines the PDA, preventing further use to contain the malware. If Bluefire detects password guessing, it displays a warning and hard-resets the PDA to prevent data disclosure.
IT administrators use Bluefire's Enterprise Manager. This surprisingly complex console takes a little time to master. Policies are grouped into packages, assigned hierarchically to Groups, Users and Devices. Every package contains four inbound and four outbound firewall policies, one fixed intrusion detection policy, a list-selectable integrity policy and an authentication policy. Firewall policies list source/destination ports and actions (allow/deny, log, severity). Templates and cloning simplify firewall rule creation, but we'd rather not be stuck with four levels -- two could be simpler and sufficient for many. Integrity policies protect important files for each PDA, which is one reason that Bluefire supports a specific set of Pocket PCs.
The Enterprise Manager is also the event repository, providing a nice collection of reports and charts, with customized parameters, filtering, and strong export capabilities. Here, I'd like more visibility into when were packages downloaded from brokers onto PDAs. Because mobile devices are not continuously reachable, it can take awhile for an updated package to actually reach the handheld, and administrators may want this kind of audit capability.
I subjected a Dell Axim with Bluefire to 802.11-based packet floods and port scans, password-guessing, and file corruption. In every case, Bluefire correctly enforced my packages, although in some cases I had to wait for the package to take effect. I found event-logging complete, with one obvious exception: When a PDA is quarantined or hard-reset, events not yet uploaded to the Manager are lost. In fact, there will always be some delay in uploading, since this occurs only during synchronization, based on number of events. According to Bluefire, broker synchronization will become optional early next year, when direct SSL communication between the Agent and Manager will be added.
Due to price and infrastructure, Bluefire is not for individuals or businesses with just a few PDAs. However, medium-to-large companies grappling with wireless Pocket PCs will find that Bluefire covers many common threats under one umbrella. Bluefire just announced support for smartphones with GPRS and CDMA and will OEM this to wireless carriers. By expanding its reach, Bluefire will help both private companies and public carriers stop airborne attacks that could otherwise turn wireless PDAs into unprotected backdoors.
About the author: Lisa Phifer is vice president of Core Competence, Inc., a consulting firm specializing in network security and management technology. She is also a site expert to SearchMobileComputing.com and SearchNetworking.com.
This was first published in November 2003