Problem solve Get help with specific problems with your technologies, process and projects.

Mobile device security: Guarding the gate

Over-the-air synchronization for handheld mobile devices can expose the enterprise network, but using proper policies to police activity can help ensure a secure network.

Last month, I wrote about the importance of detecting what is really connecting to your network, starting with techniques for discovering on-site wireless devices. But short-range RF monitoring cannot detect mobile devices that access your servers and data from afar. At this month's Gartner Mobile Wireless Summit, we explored this topic with vendors and analysts.

Getting in sync
For many mobile devices, periodic data synchronization with an enterprise server or desktop is a primary point of corporate contact. A decade ago, Palm Pilots started using cradles to synchronize directly with desktop PCs. Today, mobile workers are more likely to synchronize handheld devices "over the air" with DMZ (demilitarized zone) email servers like Microsoft Exchange or mobile device managers like Sybase iAnywhere Afaria.

"When any mobile device synchronizes with a desktop using Bluetooth or a cradle, if an Afaria client is running on the desktop, it can block that sync activity," said Joe Owen, vice president of engineering for Sybase iAnywhere. "Alternatively, a message  may be returned to the desktop with instructions to install Afaria on new mobile devices."

But, according to Owen, desktop synchronization has become old-school. "Most of our customers are now locking down desktops to stop [mobile devices] from coming in that way," he said. "They prefer to deal with mobile devices at the perimeter or on the DMZ, using some type of gateway."

In fact, Gartner's John Girard strongly recommends disabling cable and cradle-based synchronization. "The moment that I open up desktop synchronization, I have a secondary path that's hard to monitor and control. If I don't have an agent on that [desktop], then I'll never even know it happened," he explained.

Instead, Girard recommends that devices be "checked at the gate" when they first attempt to enter the company network to reach office systems and servers. "Even if users control their own [mobile] devices, the company does not need to give up control to its central and office facilities. Access controls at the boundaries of WAN, LAN and server take on increasingly important roles to prevent damage from improper usage."

Perimeter detection and provisioning
For example, Afaria customers can detect unauthorized or unprovisioned Windows Mobile devices when they attempt to synchronize with Microsoft Exchange. "We offer software that can be run on the Exchange Server as an ISAPI add-in to detect synchronization attempts," Owen said.

All correctly provisioned devices are permitted to sync with Exchange, while the rest receive error messages containing a URL for over-the-air provisioning. Alternatively, an SMS message could be sent to newly issued mobile devices, containing the provisioning URL. Mobile users follow the URL to a corporate Web server, where they are presented with a confirmation message to download and install the Afaria client.

The appropriate client package, including Afaria software and policy, is then pushed to the device -- typically over a wireless WAN, but potentially over any Internet connection. Once the client has been installed, the mobile device automatically connects to an Afaria server on the corporate DMZ at scheduled intervals. That server checks each mobile device's ID against administrator-configured blacklists and whitelists to enforce policies on authorized devices and wipe lost or stolen devices. Connection attempts and inventoried attributes are logged for use in reporting.

I experienced the user side of this process at the Gartner Summit by participating in a GO! Mobile Device Trial offered by Sybase and HTC. When I picked up my HTC Touch Dual, the client package had been installed but not fully provisioned. The latter was completed within a few minutes by connecting over wireless broadband to a remote Afaria trial server to download applications, content and settings, including iAnywhere Mobile IM and OneBridge email. However, initial device detection via Exchange synchronization was not part of this trial.

Beyond email
This one example illustrates how perimeter application servers can play a vital role in mobile device detection. Many mobile device managers now offer some degree of mail gateway integration, reflecting the dominance of email as a mobile business application. However, detection at other application portals and remote access VPN gateways will no doubt grow as mobile applications and their business usage expand. Next month, we will conclude this series with a look at new challenges being introduced by today's increasingly diverse mobile devices, and emerging techniques to deal with them.


About the author: Lisa Phifer is vice president of Core Competence Inc., a consulting firm specializing in network security and management technology. Phifer has been involved in the design, implementation, and evaluation of data communications, internetworking, security, and network management products for nearly 20 years. She teaches about wireless LANs and virtual private networking at industry conferences and has written extensively about network infrastructure and security technologies for numerous publications. She is also a site expert to and

Dig Deeper on Enterprise mobile security

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.