Security Basics mailing list archives
RE: Phone based VPN access
From: "Rocky" <rocky.he () g-wizinnovations com>
Date: Wed, 11 Jan 2006 15:42:40 +1100
The most common risk you have with smart-phones is loss/theft = compromise. Ensure that there is a strong password policy Long Complicated ones (yes even though they are a pain to enter on a smart-phone) Frequently changed (more so than desktop passwords because of the exposure to hostile territory that the smart-phone has) Are you planning on implementing certificate based authentication, or just user/pwd? If the users keep sensitive data on the smart phones, which they are likely to access over the VPN, you might want to implement a remote wipe system as well. This can be done with things like MS Exchange and ActiveSync Mobile Administration Web Tool. Although you might want do implement this anyway even without the VPN access. As far as known exploits and basic holes...no more so than the same ones you get with any remote VPN access really. It's still VPN, and it's still as vulnerable as the user allows it to be. If you haven't done it yet, you might consider implementing a network quarantine system for these and all your mobile devices. Ensure that the mobile device is patched, and has adequate anti-virus as well as a firewall if applicable (yes there are firewalls for Pocket PC / Windows Mobile / smart phone based devices. I've never set that up for smart-phones but I'd imagine it's much like PDAs and Tablet PCs. Those are the things off the top of my head I'd consider. RockyH -----Original Message----- From: Securi Net [mailto:securinet2004 () yahoo ca] Sent: Wednesday, 11 January 2006 4:32 AM To: security-basics () securityfocus com Subject: Phone based VPN access Hi list members, We have recently received a request to facilitate vpn access via a vpn capable phone for an employee. Are there any inherrent risks in facilitating such access. Are there any known exploits or basic holes that we should watch out for? Thanks in advance for any feedback. Regards CP __________________________________________________________ Find your next car at http://autos.yahoo.ca --------------------------------------------------------------------------- EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE The Norwich University program offers unparalleled Infosec management education and the case study affords you unmatched consulting experience. Tailor your education to your own professional goals with degree customizations including Emergency Management, Business Continuity Planning, Computer Emergency Response Teams, and Digital Investigations. http://www.msia.norwich.edu/secfocus ---------------------------------------------------------------------------- --------------------------------------------------------------------------- EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE The Norwich University program offers unparalleled Infosec management education and the case study affords you unmatched consulting experience. Tailor your education to your own professional goals with degree customizations including Emergency Management, Business Continuity Planning, Computer Emergency Response Teams, and Digital Investigations. http://www.msia.norwich.edu/secfocus ----------------------------------------------------------------------------
Current thread:
- Phone based VPN access Securi Net (Jan 10)
- SV: Phone based VPN access Daniel Nyström (Jan 11)
- RE: Phone based VPN access Rocky (Jan 11)
- <Possible follow-ups>
- Re: Phone based VPN access fred (Jan 11)
- RE: Phone based VPN access Norm Laudermilch (Jan 13)
- Re: Phone based VPN access norml (Jan 13)