RE: Phone based VPN access

["Rocky" <rocky.he () g-wizinnovations com>]

The most common risk you have with smart-phones is loss/theft = compromise. 
Ensure that there is a strong password policy
        Long Complicated ones (yes even though they are a pain to enter on a
smart-phone)
        Frequently changed (more so than desktop passwords because of the
exposure to hostile territory that the smart-phone has)
Are you planning on implementing certificate based authentication, or just
user/pwd? 
If the users keep sensitive data on the smart phones, which they are likely
to access over the VPN, you might want to implement a remote wipe system as
well.  This can be done with things like MS Exchange and ActiveSync Mobile
Administration Web Tool.  Although you might want do implement this anyway
even without the VPN access. 

As far as known exploits and basic holes...no more so than the same ones you
get with any remote VPN access really.  It's still VPN, and it's still as
vulnerable as the user allows it to be. 

If you haven't done it yet, you might consider implementing a network
quarantine system for these and all your mobile devices.  Ensure that the
mobile device is patched, and has adequate anti-virus as well as a firewall
if applicable (yes there are firewalls for Pocket PC / Windows Mobile /
smart phone based devices.  I've never set that up for smart-phones but I'd
imagine it's much like PDAs and Tablet PCs. 

Those are the things off the top of my head I'd consider. 

RockyH



-----Original Message-----
From: Securi Net [mailto:securinet2004 () yahoo ca] 
Sent: Wednesday, 11 January 2006 4:32 AM
To: security-basics () securityfocus com
Subject: Phone based VPN access

Hi list members,

We have recently received a request to facilitate vpn
access via a vpn capable phone for an employee.

Are there any inherrent risks in facilitating such
access. Are there any known exploits or basic holes
that we should watch out for?

Thanks in advance for any feedback.

Regards

CP


        

        
                
__________________________________________________________ 
Find your next car at http://autos.yahoo.ca

---------------------------------------------------------------------------
EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The Norwich University program offers unparalleled Infosec management 
education and the case study affords you unmatched consulting experience. 
Tailor your education to your own professional goals with degree 
customizations including Emergency Management, Business Continuity Planning,

Computer Emergency Response Teams, and Digital Investigations. 

http://www.msia.norwich.edu/secfocus
----------------------------------------------------------------------------


---------------------------------------------------------------------------
EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The Norwich University program offers unparalleled Infosec management 
education and the case study affords you unmatched consulting experience. 
Tailor your education to your own professional goals with degree 
customizations including Emergency Management, Business Continuity Planning, 
Computer Emergency Response Teams, and Digital Investigations. 

http://www.msia.norwich.edu/secfocus
----------------------------------------------------------------------------