In an ideal world, the starting point would be risk assessment and management. This is a fundamental component of any wireless and mobile deployment. It will ensure that security is factored in at the beginning of a project and that everyone involved is aware of the risks. All security policies should be reviewed to make sure that they reflect current realities.
However, in many cases, the move from inside to outside the computer network perimeter has not been accompanied by either risk assessment and management, or by the education of the management, staff and users involved.
In an environment with ongoing mobile computer access, attempting to “backfill” security is going to be difficult and subject to active or passive resistance from users – and much more expensive than getting it right in the first place. A bite at a time is the best approach in this situation, and there are some quick fixes that will make it an easier case to sell to all involved.
Passwords and authentication
Static passwords are woefully inadequate for remote and mobile computer users, with huge identity theft risks (particularly for wireless). The answer is to deploy strong two- factor authentication. Companies such as VASCO provide low-cost, token-based solutions that can be easily deployed for remote users.
Consider using encrypted secure sockets layer (SSL) VPNs, alongside or instead of IPsec VPNs, as SSL can provide lower cost, easier to manage connections for large numbers of remote users. This is a growing area and there are a wide range of solutions from WatchGuard, Citrix, AEP, etc.
Make sure that users regularly update anti-virus and firewall software. Failure to do so, alongside password and unauthorised software related issues, makes up the majority of remote help desk problems for organisations.
Ensure that all traffic is over VPNs and is encrypted. Don’t use Wired Equivalent Privacy (WEP) for encryption because it is poor, insecure and weak. Use WPA or WPA2 (also known as 802.11i) and ensure that users always operate with it switched on - the default is with it switched off.
If you have remote wireless LANs, ensure that the service set ID (SSID) is changed from the default and is secured. Don’t change it to something blindingly obvious like your company name (or “control tower”, as seen by startled laptop users at a US airport).
Implement media access control (MAC) filtering. A MAC address is a physical address, so if you restrict access to devices whose address you have authorised, you can eliminate many ID theft issues. Another variation of this is device authentication, where the device authenticates itself to the network. Solutions are available from companies such as Phoenix Technologies, etc.
Also ensure your users have a wireless firewall/VPN to protect them and to manage encrypted VPNs from the wireless device. Companies such as WatchGuard and Check Point provide centrally manageable solutions in this area.
Bear in mind that many cheaper remote firewalls are incapable of dealing with application level attacks. A key requirement for remote firewalls, wireless or static, is to be able to deal with current and future threats, which include packet and, increasingly, application level attacks. All of these measures should greatly improve your mobile computing security with the minimum of fuss and resistance from staff.
Reading our newsletter every Monday will keep you up-to-date with security news.
Receive a daily digest of the latest security news.