Re: Phone based VPN access

[norml () trustdigital com]

It may not seem obvious, but the threat to an enterprise from data capable mobile devices is very high today.  Here's 
why:

1) Lots of valuable data: Mobile devices are carrying more and more enterprise data every day.  In the past, products 
like GoodLink, Intellisync, and BES made over-the-air sync easy but now Microsoft gives it to you for free with 
Exchange ActiveSync.  It's easier than ever for users to get their corporate email, calendar, contacts, and other data 
on their phones, and in many cases it doesn't take any administrator action to make it happen - completely user 
provisioned.  Add the capabilities of desktop sync and USB storage in the mix and you've got a situation where a lot of 
sensitive corporate data is walking in and out of your front doors on mobile devices every day.

2) Very vulnerable platform: The mobile devices in use today have very poor native security built-in.  A power-on 
password and maybe a remote kill pill are about all you can expect from most manufacturers and sync vendors.  On top of 
that, most of the mobile operating systems have no notion of multiple security levels, administrative access, file 
access permissions, or any of the things we've become used to in desktop OS's.  On top of all THAT, these things are 
designed from the ground up to make communications easy - just think about the malicious routing and gateway threats 
from a device that can be connected to WiFi, GPRS/EDGE/EVDO, Bluetooth, IR, and USB connections all at the same time.  
And you spent how much money on your corporate firewall?  :)

3) Easy-to-lose form factor: They're small, they fit right in your pocket, and get left in airports, taxi cabs, and 
hotel rooms a great deal more than laptops do.  

4) "Mixed-use" makes enforcement difficult: A good percentage of these devices are now "mixed use", meaning the user 
owns it and splits its use between personal and business.  When the enterprise doesn't own the asset, the security 
rules become a little different.  You have to be able to deal with things like users installing their own software, 
enforcing data access rules between applications, etc.

5) They are unavoidable.  These devices, and the mobile access to data that they provide, are essential to the way we 
do business and are unavoidable from a security standpoint.  People need them, so we need to figure out how to secure 
them.

So, having established that mobile devices present a significant risk it should be obvious that adding VPN connectivity 
to those devices only makes the problem worse.  Adding a secure tunnel into the center of your corporate network from 
an insecure endpoint is a huge risk.  

So, what do we do about it:

This is all about endpoint security - just like it was with laptops establishing VPN's to the enterprise 10 years ago.  
The main enterprise security problem with today's mobile devices is that the built-in security sucks.  Until you can 
establish and verify solid endpoint security, you can't allow them to VPN in to your network.  The only way to make 
secure use of mobile devices in an enterprise is to put in place a security solution that is device independent, 
network and sync independent, and carrier independent and provides the following security features on the devices:

- Strong authentication
- Encryption
- Compliance checking and reporting
- Resource control (camera, Bluetooth, IR, other interfaces)
- Application control (what apps can do, what data they can access, etc)
- Network security (vpn, firewall, etc)
- Transparent (or as transparent as possible) to users
- Simple provisioning
- Centralized, policy based, control of all mobile devices 

Once you have these things available to you as a security administrator on mobile devices, you can begin to trust them 
at the same level as you trust your other mobile devices (laptops).  As far as known exploits go, there are several - 
and the list is expanding every week.  It's only a matter of time until the majority of the bad guys figure out that 
the most efficient way to get malicious code into your protected enterprise is via a mobile device.  Think about it - 
your corporate firewall, IDS, IPS, anti-virus, and various other fancy acronym devices and solutions wouldn't see 
malicious code injected into your network from a smart phone syncing to a laptop via USB.  Most likely the same for 
malicious code syncing over-the-air directly to your exchange server.  You could easily contract a mobile virus via 
Bluetooth in Starbucks and immediately route it into the heart of your enterprise via your over-the-air sync mechanism.

It's a big security issue, so be careful with your use of mobile devices in the enterprise.  They can be implemented 
both efficiently AND securely if you do things right, and the users will be happy and the executives will love you.  Do 
it the wrong way, and, well, I guess there are a lot of security jobs out there.

Hope that helps,
Norm

Norm Laudermilch
CTO
Trust Digital, Inc.

---------------------------------------------------------------------------
EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The Norwich University program offers unparalleled Infosec management 
education and the case study affords you unmatched consulting experience. 
Tailor your education to your own professional goals with degree 
customizations including Emergency Management, Business Continuity Planning, 
Computer Emergency Response Teams, and Digital Investigations. 

http://www.msia.norwich.edu/secfocus
----------------------------------------------------------------------------