Vulnerability To Go
May 1, 2005 12:00 PM, By Jacqueline Emigh
Protecting desktop PCs is tough enough, but securing mobile devices is even harder. Yet as laptops, PDAs, and cell phones proliferate inside and around enterprises, security management for the smaller machines is improving in intriguing ways.
The biggest challenge to making mobile devices safe and secure is their mobility. “Essentially, these devices can go anywhere,” says Brian Lehman, senior director for the Government Solutions Group at Symbol Technologies, Holtsville, N.Y.
“Trying to protect a mobile device is like guarding a building in which all the doors and windows are open,” agrees Rich Miranov, vice president of AirMagnet, Sunnyvale, Calif.
Specifically, mobile machines are easier for thieves to pick up and steal. Furthermore, the data on their hard drives is more prone to attack by interlopers on computer networks.
On a related note, laptops and PDAs are generally more likely than their desktop counterparts to appear on 802.11 wireless LANs (local area networks), a particularly vulnerable type of network.
Mobile devices have other differences, too. Unlike desktop PCs — which typically come with some ordinary flavor of Microsoft Windows — PDAs and cell phones run a variety of lesser-known operating systems (OS), including PalmOS, Symbian OS and Microsoft's Windows CE and PocketPC.
Endless wireless
Wireless applications are varied. Large car manufacturers often use combinations of Windows CE-based PDAs and Windows-based laptops to track materials on their assembly lines, according to AirMagnet's Miranov. The devices communicate over 802.11 networks on the shop floor.
Doctors working in hospitals and clinics use PDAs or data-enabled cell phones — sometimes called “smartphones.” The smaller machines are easier to carry, and PDAs are reminiscent of the paging devices doctors are used to carrying.
Yet, with HIPAA regulations looming large, healthcare organizations tend to be more concerned about security than ever, Miranov says.
Mobile devices are also cropping up among consumers and among every sort of enterprise worker. Laptops and PDAs can be easily purchased at discount and department stores for a few hundred dollars.
Not surprisingly, the worldwide market for enterprise mobile devices alone will skyrocket from $9 billion in 2004 to $12.3 billion in 2008, according to a recent study by Venture Development Corp. (VDC), Natick, Mass.
At the same time, though, multiple surveys by International Data Corp. (IDC), Framingham, Mass., have shown security to be the biggest inhibitor to wireless computing growth.
Viruses and other malicious software (“malware”) — including “worms” and “Trojan horses” — constitute an increasingly worrisome threat. As they travel anywhere, mobile devices are even more likely than desktop PCs to get exposed, experts say.
Smaller PDA and cell phone platforms were once resistent to viruses, because their tiny hard drives and memories did not give the computer “bugs” much room to play. But that's all changing now.
The first worm to target smartphones, “Cabir,” was originally unleashed in June of 2004. By last December, 11 new variants of the worm had surfaced. Other smartphone threats reported in 2005 include Trojan horses known as “Skulls,” “Mos” and “CommWarrior.”
The security implications of smartphone viruses are more significant than one might have previously expected. According to a recent survey conducted for Symantec Corp., Cupertino, Calif., by InsightExpress, Stamford, Conn., data-capable smartphones are starting to be used in many of the same ways as laptops. Users are turning to smartphones for e-mail; instant messaging; Web browsing; accessing financial accounts; and downloading and sharing files over the Internet.
Unfortunately, information security professionals tend to have even less control over mobile devices than over desktop PCs. In many cases, departments within enterprises — and even individual users — are “just going out and buying whatever they want,” Lehmann says.
“Mobile chaos is everywhere, and it needs to be chained in,” the Symbol executive says.
Solutions are available
For its part, Symbol has been responding to the crisis with products such as the Symbol Wireless Intrusion Protection System (IPS), which relays alerts to information security staff whenever it detects malicious or unauthorized activities by devices on a wireless LAN.
Vendors are developing information security products particularly geared to specific PDA and smartphone operating systems. For instance, Symantec's offerings include software that provides integrated antiviral and firewall protection for devices running the Symbian operating system.
In Symantec's smartphone-oriented firewall, incoming and outgoing connection attempts are either blocked or allowed, based on a set of definable rules.
Meanwhile, AirMagnet, Enterasys Networks and some other companies are extending state-of-the-art security management across both traditional wired computer networks and the latest wave of wireless mobile machines.
AirMagnet offers two products: the AirMagnet Mobile Suite — featuring monitoring and analysis software for both Windows laptops and Windows CE PDAs — and AirMagnet Enterprise, a network-based alert system that uses tiny sensors.
Miranov compares AirMagnet Enterprise to a smoke detection system. But instead of finding smoke, the system pinpoints unauthorized or rogue devices in the physical environment that are attempting to invade wireless LANs.
Wireless hackers operating the rogue devices might be located in a building next door, on a different floor in the same facility, or outside in the parking lot.
Wireless violations uncovered by the system can be automatically reported to a central location over the enterprise computer network. One Japanese car maker is using AirMagnet Enterprise to protect top-secret designs for its next generation vehicles, Maranov says. Beyond merely identifying intruders, AirMagnet Enterprise can be set up to carry out security policies established by enterprise information security departments.
At the auto manufacturing firm in Japan, for example, the system confirms that all users have been “authenticated” — meaning that they have proven their identities — and that encryption — or data “scrambling” — is happening. If an unauthorized mobile device is detected, the device is automatically shut down.
Other companies are using AirMagnet Enterprise to enforce centrally devised wireless security policies across various physical facilities. One computing giant, for instance, is deploying the system at more than 1,000 offices around the world, according to Maranov.
To cite another example, a branch of the U.S. military has installed AirMagnet Enterprise at more than 1,400 recruiting offices throughout the United States.
Enterasys Networks, on the other hand, has introduced new wireless access point hardware that extends the information security management of its products for computer networks into wireless LANs.
Complementary products from Enterasys offer several new security features for device management, says Scott Bolick, the company's vice president of secure networks, software and solutions.
For example, Enterasys' Trusted-End System ensures sure that devices connecting to the wired or wireless network are free of viruses and other security “threats.”
If devices are not “threat-free,” they become “quarantined” — banned from the network until their security glitches have been fixed.
Another new product from Enterasys — the “Policy Control Console” — is aimed at allowing authorized non-information security personnel to control certain kinds of network policies, according to Bolick.
Some university professors are using the Policy Control Console to turn off wireless network access during classroom sessions.
Alternatively, physical security professionals might also be allowed to curb wireless access — if, for instance, they notice suspicious activities going on around them that could be jeopardizing wireless LAN data.
SUCCESS STORY
Attorneys Use Firewall To Safeguard Client Data
As one of the top 10 Atlanta law firms, Arnall Golden Gregory (AGG) serves its clients regarding mergers and acquisitions, capital markets financing, joint ventures, litigation and other legal issues.
Electronic communications and data exchange are critical to the firm's success, and AGG must safeguard its clients' data according to security requirements dictated by federal regulations such as HIPAA and Sarbanes-Oxley.
AGG's network has to be available 24 hours a day so that employees can access files and e-mail at any time, from their local desktops or remotely through a virtual private network (VPN).
The firm had previously used perimeter firewall software, but the licensing costs and management complexity convinced AGG to look at other options to update the system.
In searching for a new firewall solution, the company needed:
- application-layer security;
- more cost-effective licensing;
- lower support costs; and
- easier setup and management.
The criteria led the AGG Technical Services team to Microsoft Internet Security and Acceleration (ISA) Server 2004, part of Microsoft Windows Server System integrated server software. A full-featured version of the software is available in the new Network Engines NS Series Firewall Appliance.
“We can write firewall rules for specific applications, which is critical to our security requirements,” says Matt McKinley, technical services manager for Arnall Golden Gregory LLP.
AGG set up the NS6300 Firewall Appliance as a perimeter firewall to safeguard servers running applications such as Microsoft Exchange Server, Office Outlook Web Access, and Terminal Server. The NS6300 also safeguards traffic connecting to the firm's internal VPN, which runs on the Windows Server 2003 operating system. AGG also purchased a second NS6300 to use as a hot backup.
“The security provided by the NS6300, along with the ease of use, reduced our administrative overhead by more than half of what was required with the (previous) firewall,” McKinley says. “The licensing costs are also significantly less.”
FOR THE RECORD
ABOUT THE COMPANIES
For information, circle the Reader Service number (listed below) or visit securitysolutions.com
| AIRMAGNET | 41 |
| ENTERASYS NETWORKS | 42 |
| SYMANTEC CORP. | 43 |
| SYMBOL TECHNOLOGIES | 44 |
Want to use this article? Click here for options!
© 2008 Penton Media Inc.
Today's New Product
|
B.I.G. Parking Control/Guard BoothManufactured for Louisiana State University, The Estate parking control/guard booth from B.I.G. Enterprises was built to strict hurricane codes due to Hurricane Katrina. The booth features a copper standing seam roof, gutters and downspouts. It comes factory-prepared for on-site installation of architectural brick and has extensive electrical, high-output HVAC, data and communication lines, shelves and cabinets. |
advertisement
This month in Access Control
- Opening Up About Door Closers
- An Enterprise Approach
- The Framework For Open Systems
- On A Higher Plane
- More from April's issue
advertisement
