RE: Phone based VPN access

["Norm Laudermilch" <norml () trustdigital com>]

It may not seem obvious, but the threat to an enterprise from data
capable mobile devices is very high today.  Here's why:

1) Lots of valuable data: Mobile devices are carrying more and more
enterprise data every day.  In the past, products like GoodLink,
Intellisync, and BES made over-the-air sync easy but now Microsoft gives
it to you for free with Exchange ActiveSync.  It's easier than ever for
users to get their corporate email, calendar, contacts, and other data
on their phones, and in many cases it doesn't take any administrator
action to make it happen - completely user provisioned.  Add the
capabilities of desktop sync and USB storage in the mix and you've got a
situation where a lot of sensitive corporate data is walking in and out
of your front doors on mobile devices every day.

2) Very vulnerable platform: The mobile devices in use today have very
poor native security built-in.  A power-on password and maybe a remote
kill pill are about all you can expect from most manufacturers and sync
vendors.  On top of that, most of the mobile operating systems have no
notion of multiple security levels, administrative access, file access
permissions, or any of the things we've become used to in desktop OS's.
On top of all THAT, these things are designed from the ground up to make
communications easy - just think about the malicious routing and gateway
threats from a device that can be connected to WiFi, GPRS/EDGE/EVDO,
Bluetooth, IR, and USB connections all at the same time.  And you spent
how much money on your corporate firewall?  :)

3) Easy-to-lose form factor: They're small, they fit right in your
pocket, and get left in airports, taxi cabs, and hotel rooms a great
deal more than laptops do.  

4) "Mixed-use" makes enforcement difficult: A good percentage of these
devices are now "mixed use", meaning the user owns it and splits its use
between personal and business.  When the enterprise doesn't own the
asset, the security rules become a little different.  You have to be
able to deal with things like users installing their own software,
enforcing data access rules between applications, etc.

5) They are unavoidable.  These devices, and the mobile access to data
that they provide, are essential to the way we do business and are
unavoidable from a security standpoint.  People need them, so we need to
figure out how to secure them.

So, having established that mobile devices present a significant risk it
should be obvious that adding VPN connectivity to those devices only
makes the problem worse.  Adding a secure tunnel into the center of your
corporate network from an insecure endpoint is a huge risk.  

So, what do we do about it:

This is all about endpoint security - just like it was with laptops
establishing VPN's to the enterprise 10 years ago.  The main enterprise
security problem with today's mobile devices is that the built-in
security sucks.  Until you can establish and verify solid endpoint
security, you can't allow them to VPN in to your network.  The only way
to make secure use of mobile devices in an enterprise is to put in place
a security solution that is device independent, network and sync
independent, and carrier independent and provides the following security
features on the devices:

- Strong authentication
- Encryption
- Compliance checking and reporting
- Resource control (camera, Bluetooth, IR, other interfaces)
- Application control (what apps can do, what data they can access, etc)
- Network security (vpn, firewall, etc)
- Transparent (or as transparent as possible) to users
- Simple provisioning
- Centralized, policy based, control of all mobile devices 

Once you have these things available to you as a security administrator
on mobile devices, you can begin to trust them at the same level as you
trust your other mobile devices (laptops).  As far as known exploits go,
there are several - and the list is expanding every week.  It's only a
matter of time until the majority of the bad guys figure out that the
most efficient way to get malicious code into your protected enterprise
is via a mobile device.  Think about it - your corporate firewall, IDS,
IPS, anti-virus, and various other fancy acronym devices and solutions
wouldn't see malicious code injected into your network from a smart
phone syncing to a laptop via USB.  Most likely the same for malicious
code syncing over-the-air directly to your exchange server.  You could
easily contract a mobile virus via Bluetooth in Starbucks and
immediately route it into the heart of your enterprise via your
over-the-air sync mechanism.

It's a big security issue, so be careful with your use of mobile devices
in the enterprise.  They can be implemented both efficiently AND
securely if you do things right, and the users will be happy and the
executives will love you.  Do it the wrong way, and, well, I guess there
are a lot of security jobs out there.

Hope that helps,
Norm

Norm Laudermilch
CTO
Trust Digital, Inc.

-----Original Message-----
From: Securi Net [mailto:securinet2004 () yahoo ca]
Sent: Wednesday, 11 January 2006 4:32 AM
To: security-basics () securityfocus com
Subject: Phone based VPN access

Hi list members,

We have recently received a request to facilitate vpn access via a vpn
capable phone for an employee.

Are there any inherrent risks in facilitating such access. Are there any
known exploits or basic holes that we should watch out for?

Thanks in advance for any feedback.

Regards

CP



---------------------------------------------------------------------------
EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The Norwich University program offers unparalleled Infosec management
education and the case study affords you unmatched consulting experience.
Tailor your education to your own professional goals with degree
customizations including Emergency Management, Business Continuity Planning,
Computer Emergency Response Teams, and Digital Investigations.

http://www.msia.norwich.edu/secfocus
----------------------------------------------------------------------------