10 tips for mobile security: as the number of mobile workers increases, security challenges become more important - Wireless

Communications News, Jan, 2003 by Michael Clarkin

Telecommuters, road warriors and laptop-carrying executives dominate the corporate landscape, increasing demand for remote access to applications and network resources. This presents new security challenges for network administrators as remote and mobile workers' connections punch holes in network defenses. It also exposes companies to a major financial risk if the network is infected by the next generation of Code Red--or Nimda-style attacks.

To combat these threats, here are the "Top 10" recommendations to effectively manage mobile user security:

1. Scans. Users connecting to the Internet via broadband (through hotel DSL, home cable or airport WLAN) may be subjected to continuous scans by a virtual army of script kiddies. A packet-filtering PC firewall eliminates this risk and is a natural complement to corporate security tools already in place on the network edge.

2. Worms and viruses. Antivirus software cannot be overused. For static desktop computers, performing gateway e-mail virus checks is sufficient, but mobile laptops, accessing Web-enabled e-mail, face new risks. Laptops, without current antivirus signatures installed, risk infection or can contaminate the corporate network once reconnected in the office.

3. Lost/stolen laptops. Misplaced laptops are a substantial issue. If the laptop data is valuable, consider some form of disk encryption or tracking software. To protect against a laptop's use to spoof a network identity, strong authentication is a must. Even with simple tools, discovering a laptop's logons and passwords is relatively easy. To prevent thieves from gaining authenticated, encrypted access to the network, make sure the virtual private network (VPN) authenticates the user and not just the machine.

4. Denial-of-service launch pad. Zombies (sleeping Trojans), ready to be activated on demand, can turn a laptop into a tool for a distributed denial of service attack, exposing a company to potential liability. Current antivirus signatures are critical, but outbound traffic controls with PC firewalls can choke off all but the most persistent Trojans by blocking the ports they use to propagate.

5. Client/gateway VPN compromise. VPNs perform two security tasks well--encrypting data while in transit, and authenticating both user and laptop to the network. Unfortunately, they also render the laptop a more valuable target since it is a passageway into the network. So keep it simple--no split tunnels, strong user authentication and tough policies for employee misuse.

6. Multiple environments/multiple policies. With mobile users, there is a range of environments to consider in a security policy. With or without a VPN, users may connect to the network directly, through a corporate ISP, or their own ISP. Develop specific guidelines and policies for user location and method of access.

7. Operating systems. Pick a single standard and stick with it. Assemble a good Windows 2000 image, turn off personal Web services (or be vulnerable to Nimda remnants) and other unnecessary services, and stay abreast of patches and service packs.

8. User-managed security. Users cannot manage their own security. If alerted to a security incident, they will either disable the security tool or call the help desk. Enterprise-ready tools allow security to be invisible to users, and leave policy configuration to security or network professionals.

9. Simple policy. The most common security issue is a misconfigured policy. To achieve the best results from security tools, select proven technology with well-known approaches and familiar policy structures. Start off with low impact policies, ones that will not accidentally impede user productivity and get the help desk phones ringing. Update and tighten controls over time until a proven, robust set of rules is developed.

10. To alert or not alert, that is the question. Design security with the support and response infrastructure in mind. What response is needed if a laptop is being scanned on a home ISP connection? Is that data even worth collecting? Keep these hidden operational costs in control with a clear plan for collecting and monitoring data. The best option may be to implement standalone tools (antivirus that quarantines a worm, a PC firewall that automatically blocks ports or attacks) rather than add the burden of 24x7 monitoring and ongoing analysis.

For more information from Network-1: www.rsleads.com/301cn-253

RELATED ARTICLE: New WLAN security.

The Wireless Fidelity Alliance (www.wi-fi.org) has announced a new security solution to replace the existing wired equivalent privacy (WEP) security standard for wireless LANs. Wi-Fi protected access (WPA) should begin appearing in Wi-Fi-certified products early in 2003. Most vendors are expected to offer WPA firmware and software updates.

WPA is a specification of standards-based, inter-operable security enhancements that increases the level of data protection and access control for existing and future wireless LAN systems. Designed to run on existing hardware as a software upgrade, WPA is derived from and will be forward-compatible with the upcoming IEEE 802.11i standard. When properly installed, it will provide wireless LAN users with a high level of assurance that their data will remain protected and that only authorized network users can access the network. The Wi-Fi Alliance plans to begin interoperability certification testing on WPA products starting in February.