Controlling what devices connect to your network is crucial, whether those devices are local or remote, stationary or mobile. Many enterprises use application portals, mail servers and/or VPN gateways to restrict mobile access, complemented by IPS to spot anything that slips through the cracks. Such techniques can be effective, but today's mobile devices can present new challenges that deserve further attention.
Look for leaks
At last month's Mobile Wireless Summit, we asked Gartner Distinguished Analyst John Girard for his advice on discovering mobile devices -- especially PDAs and smartphones that access and carry business data without corporate approval.
As a first step, Girard recommended scanning all desktop and mobile computers to detect unauthorized synchronization software and past sync activity.
But don't stop there. Some users may be forwarding corporate email to their own mobile devices. "With personal BlackBerrys and Windows Mobile smartphones, I can easily set up email to an outside ISP," Girard said. "Unless my company has a methodology to detect this, how would my company even know?"
To close this loophole, Girard recommended examining corporate servers and desktops for tip-offs like email or calls being routed to unusual destinations. "If your company is using a software distribution and inventory management system, you should be able to detect when these settings are out of compliance," he said. "Is there an application that's not supposed to be there or a configuration that's incorrect? Put procedures in place to stop [these policy violations], with help desk support to explain why they are blocked."
Expand edge security
During his summit session entitled "Mobile Security on a Budget," Girard recommended that employers leverage the network edge systems they already control to mitigate the risks posed by new mobile devices.
"As the intelligence of mobile phones increases, attack paths [like] over-the-air software updates and simple scripting attacks will be prevalent -- all of which flow through servers to distribute content," Girard said. "Enterprises should focus malicious-content protection investments on sync servers, wireless application gateways, and external wireless network service provider offerings through 2009."
To reduce risk, use these network edge servers and gateways to filter all mobile device network access, avoiding policies that permit split tunneling. "The best way to [reduce mobile device risk] is to put all of your applications back on servers," Girard said. "If you can't make a device secure, get all the local data off of it."
Smaller companies without security infrastructure can still implement this approach by procuring communication services that are inherently secure. "Buy device encryption and management from your carrier," he said, "and insist that their mobile communication service filters for malware."
Deal with unmanaged devices
User-owned devices now exist even within the most conservative, risk-averse companies, according to Girard. Ignoring reality will not help. Rather, enterprises must begin to assess and tackle this exposure.
Many IT managers already worry about personal PDAs and smartphones, but Gartner finds that employees have started to use personal laptops as well. "If you haven't done a survey to find out who's gone off the corporate [laptop] image recently, it's time," he said. "Even kids know how to roll back to a restore point created before [corporate security] was installed so that they can run social games that also happen to be great venues for malware."
To permit application access by user-owned devices -- and other unmanaged devices, such as home PCs -- companies can turn to "clientless" SSL VPNs. Where clientless solutions are too limited, SSL VPN "thin clients" can be used to deliver broader application access -- preferably after scanning the user's device. Both techniques are now being incorporated into network access control (NAC) solutions that combine user authentication with endpoint identity and health to determine the appropriate degree of access.
Girard warns, however, that it can be tough to differentiate between a known, trusted device and another device that intentionally mimics it. "It can be very hard to detect cloning of a legitimate device," he said. "But you can try by examining registry keys and looking at NIC addresses or other hardware attributes.
Finally, some SSL VPNs can create a secure virtual environment on the unmanaged device -- essentially an encrypted container in which to run trusted applications and use corporate data.
This is a step in the right direction, Girard said. But the best way for employers to manage risk on user-owned devices may be to deploy corporate-managed "virtual PCs." For example, products from VMware or Moka5 can be used to create standard corporate desktop environments on personal laptops (but not on PDAs or smartphones).
Virtualization could give IT departments far more control over the computing environment used for business activities, while reducing the impact on mobile devices when they are used for personal activities. In short, secure virtual environments can let employees work remotely, independent of the mobile device they happen to be using to reach the corporate network.
Note that, in this scenario, mobile device discovery becomes far less important -- at least insofar as hardware is concerned. But employers will still need to reliably detect and identify each mobile user's execution environment in order to ensure that it remains healthy and compliant with corporate security policies. After all, the wrapping paper may or may not be pretty -- it's what's on the inside that really counts.
About the author: Lisa Phifer is vice president of Core Competence Inc., a consulting firm specializing in network security and management technology. Phifer has been involved in the design, implementation, and evaluation of data communications, internetworking, security, and network management products for nearly 20 years. She teaches about wireless LANs and virtual private networking at industry conferences and has written extensively about network infrastructure and security technologies for numerous publications. She is also a site expert to SearchMobileComputing.com and SearchNetworking.com.
This was first published in April 2008