Don't miss all of the installments in this series on mobile device security:
- Mobile device security policies: Asserting control over mobile devices
- Managing mobile authentication methods
- Establishing secure mobile communication
Mobile devices used to access corporate networks send business data over a wide variety of links. From 3G wireless to WiMAX, hotel broadband to Wi-Fi hot spot, every public network interface poses some business risk. In this tip, we explain how to set up secure mobile communication, including how to encrypt mobile laptop, PDA and smartphone transactions using tools that can enforce the same over-the-air security, independent of device or network type.
Falling short with mobile communication security
Some mobile networks incorporate link security -- for example, 3G encrypts all messages between handsets or data cards and a carrier's base station. But each wireless network may be different, and end-to-end protection is left to the user. Businesses therefore cannot rely on link encryption to consistently and fully address mobile security needs.
Some businesses use point solutions to secure mobile communication end-to-end. For example, many enterprises utilize the native encryption found in BlackBerry handhelds. Such solutions can be an expedient way to secure part of your workforce, but they cannot be extended to cover all mobile devices and may not fully support your security policy.
Filling gaps in mobile network communication
Fortunately, many options exist for securing mobile network communication, independent of device type or access method.
IPsec VPNs: IPsec tunnels are a proven, robust method for ensuring the confidentiality and integrity of all private IP packets exchanged over any public network between a mobile device and a corporate network VPN gateway. Today, most laptop and handheld operating systems include an embedded IPsec VPN client, and roughly two out of three enterprises have at least one IPsec VPN gateway. However, IPsec clients can be expensive to administer -- particularly for large workforces that carry a broad mix of devices. IPsec can also be disruptive for mobile users that roam frequently from one network (and public IP address) to another. For these and other reasons, IPsec is most often used on IT-managed laptops that remain stationary during communication.
SSL VPNs: SSL has a long history of reliably protecting e-commerce transactions between Web browsers and servers. SSL VPN gateways use this same protocol to secure corporate network communication by any device equipped with a Web browser. This approach became popular by avoiding VPN client software, using dynamically downloaded Java or ActiveX to deliver business application access via Web-based GUIs. However, more complex applications cause client-side dependencies -- from requiring administrative rights on the device to actually installing client-side executables. Today, SSL VPNs secure network communication with many kinds of mobile devices, including unmanaged PCs, PDAs and smartphones, but the applications supported on handhelds are often limited by OS and screen size.
Mobile VPNs: Some VPN products are explicitly designed to overcome inter-network roaming disruption. These "Mobile VPNs" can employ a variety of protocols, ranging from proprietary UDP to Mobile IP. All use persistent encrypted tunnels to deliver traffic to a given mobile device, independent of its physical location and network connectivity. Some Mobile VPNs can actually hold messages destined for a mobile that travels beyond wireless coverage or falls asleep, delivering them when communication resumes. Mobile VPNs offer clear advantages for workers who must communicate continuously, without disruption, while roaming between 3G/4G networks and Wi-Fi hot spots. This kind of functionality requires installed client software, however, so it is critical to select a product that can support all device operating systems used by your mobile workforce.
Secure applications: VPNs encrypt application messages in a generic fashion, but what if you only care about encrypting email or keyboard/mouse/screen interaction with a remote system? Some companies prefer to use mobile applications that have their own built-in message encryption. In the short run, a secure application can often deliver device and network-independent coverage without the cost and complexity of a VPN. But in the long run, securing a large number of mobile applications independently can grow costly and make it hard to enforce consistent policies.
In diverse workforces, it can be difficult to satisfy every mobile user's needs with one type of secure network communication. For example, some companies deploy a single SSL VPN gateway but vary client access based on device, user and associated risk. Mobile users with IT-administered laptops may be given broader access, while those with unmanaged laptops or less capable smartphones may be restricted to email. If a single access platform simply cannot do the trick, try to avoid narrow device or network-specific platforms and consolidate control by using the same policies and credentials.
Completing the picture with secure mobile communication
Secure mobile communication methods can protect business traffic from eavesdropping, forgery and replay, independent of the network(s) used. However, complementary measures are needed to harden mobile devices against network-borne attack, endpoint compromise, and user error.
- VPN and secure application gateways are designed to let authorized users in and keep everyone else out -- and that depends on authentication. See our section on authorizing mobile device network access.
- All secure mobile communication methods are based on policies that must be carefully defined, universally deployed, and consistently enforced. See our section on asserting control over mobile devices.
- Mobile devices that connect via public networks must be protected against unsolicited traffic from unknown and possibly malicious devices. Deploy host firewall and intrusion-prevention programs to block non-VPN/secure application messages, both inbound and outbound.
- Some mobile access methods are LAN technologies that broadcast packets to strangers on the same public network, including DHCP requests, NetBIOS/SMB broadcasts, SSDP discovery messages, and IGMP multicasts. Configure mobile devices and interfaces to eliminate protocols that are inappropriate in public networks.
- Many users bypass secure mobile communication methods, either accidentally or intentionally. Consider using centrally configured policies to stop users from disabling VPNs or reconfiguring applications to send cleartext to destinations outside the corporate network.
- When any type of network tunnel is established, opportunity exists for an infected device to enable "backdoor" access to the corporate network. Use antivirus/spyware to mitigate this risk, either on the device itself or at the point of entry into the corporate network.
- Letting mobile users access your network is step 1. Monitoring how they use the network and its resources is step 2. Leverage your network infrastructure to restrict mobile users to the resources they should reach, and use network logging, analysis and reporting tools to audit usage.
About the author: Lisa Phifer is vice president of Core Competence Inc., a consulting firm specializing in network security and management technology. Phifer has been involved in the design, implementation, and evaluation of data communications, internetworking, security, and network management products for nearly 20 years. She teaches about wireless LANs and virtual private networking at industry conferences and has written extensively about network infrastructure and security technologies for numerous publications. She is also a site expert to SearchMobileComputing.com and SearchNetworking.com.