Wireless Security – advancing from the traditional “one-size-fits-all” approach

As we have seen, mobile devices and network technologies have evolved in recent years, giving the executive road warrior, field service representative and teleworker access to corporate networks, databases and applications from virtually anywhere.

Despite these advances many organizations are still unfamiliar with the latest remote access technologies and are unsure how to address the biggest mobile deployment concerns we highlighted in the last section, namely cost control, available bandwidth and security.

There are some solutions which are technology or bearer network specific. For example on WiFi wireless networks the IEEE 802.11a/b/g standards have made it possible for hardware vendors to create interoperable systems. The success of these initiatives has resulted in the high WiFi adoption rate in the corporate environment, both inside and outside the trusted network. But with this success has come an increased risk to corporate security.

Security options included with wireless access points have been repeatedly shown to be insufficient. Wired Equivalent Privacy (WEP) is easily compromised and its exploits are well documented. WiFi Protected Access (WPA) improved some of the deficiencies of WEP, but even WPA is susceptible to new threats called “brute force dictionary attacks” (in which the hacker retrieves the preshared secutiy keys used in authenticating a device to the access point) and “Message Integrity Check” (MIC) Denial of Service attacks.

Two new, recently formalized standards called 802.1x and WPA2 (also known as 802.11i) are more robust and so far seem to be addressing many of the device to access point authentication woes, but adoption of the standards remains negligible and are only available on the newer access points. Another limitation is that, unfortunately, most wireless access points are capable of supporting only one security protocol at a time. As a result, organizations with wireless devices that support only weak WEP security, and do not support 802.1x or WPA2, must configure their access points for the security protocol common to all of their devices. For such organizations, a change in WiFi security occurs only when all access points or devices are upgraded – or another, more comprehensive solution is identified.

Such solutions are only available or effective when the wireless worker is connected to a single network. The number and types of networks an enterprise must coordinate, manage and secure is no longer limited to a single network over which they have physical control (or even ownership). Remote access for partners or telecommuters may be initiated from untrusted devices; employees who take their computers home with them may be connecting over their personal broadband (DSL or cable modem) connection, or perhaps even using their own WiFi access point on their home network; and mobile workers may use public or private WLAN access, which includes public hotspots.

The good news is that virtual private network (VPN) solutions have evolved along with these technologies to better serve the growing number of truly mobile, multi-wireless network using workforces.

The use of a VPN for secure remote access has become an essential tool to for organizations which wish to ensure confidential data communications across public telecommunication or open networks including the internet. VPN create a discrete “tunnel” of encrypted data between the source and destination, ensuring the data cannot be intercepted or read as it passes through network infrastructure owned and operated by third party organizations. They are more cost effective than dedicated private lines and form a vital component of an effective security strategy.

A VPN must address the productivity concerns of application administrators as well as the network and data security concerns of network administrators—without compromising usability. For organizations to strike this balance between security, performance and usability in the field, they must select their VPN solution carefully.

Countless remote access and virtual private network (VPN) technologies claim to help IT managers provide mobile workers access to vital applications without compromising network security or disrupting performance and productivity. The reality is, however, that very few work well for truly mobile workers.  Most VPNs can provide adequate remote access and security in fixed locations or over wired networks, but they do not provide seamless mobility in environments in which workers frequently change locations throughout the day, suspend/resume their devices to save battery life, encounter gaps in coverage or use multiple wireless networks. For these reasons, it is important to recognize that today’s VPNs are simply NOT one-size-fits-all.

So, lets explore the three main types of secure remote access solutions available today—IPSec, SSL and Mobile VPNs—and details key considerations for choosing the right VPN for your organization.

How mobile is your workforce?
Before you select a VPN, it is important to first analyze the workers that will use the solution. Are they “remote” or “mobile”? What are their specific remote access requirements?

Not all remote workers are mobile. Remote workers typically require access to a single local wired or wireless network from a fixed location, such as a home office or hotel room. True mobile workers, on the other hand, make use of a rich variety of wireless connections throughout the day. These workers rely on real-time access to data and applications, and they are more sensitive to obstacles that hinder their access because, as we have seen, it ultimately impacts their productivity and erodes the very benefits which the mobile working project sought to deliver.

IPSec, SSL and Mobile VPN solutions: An overview
The three most common technologies used for remote and mobile access today, IPSec, SSL and Mobile VPNs are solid, proven technologies. When configured and used properly, all provide a high level of security through encryption and authentication and work well for remote users. However, not all VPNs function the same way under the same conditions. Unlike traditional IPSec and SSL VPNs, Mobile VPNs perform especially well in mobile and wireless environments. It’s therefore, critical to determine if your workforce is remote or mobile and to evaluate the merits and pitfalls of each VPN solution for that workforce.

IPSec VPNs are designed to provide point-to-point connectivity for remote users typically over a high speed network. IPSec was not developed with protocol efficiency in mind, and adds roughly 102 bytes of overhead for every packet transmitted. When this overhead is multiplied across each application in use, IPSec is progressively impractical when used over a wireless network. The most well known attempt to make IPSec functional in mobile computing environments where IP addresses change is an approach called ‘Mobile IP’. Unfortunately, Mobile IP adds yet another layer of protocol overhead and introduces new security risks and data routing inefficiencies—both of which further degrade IPSec’s already poor performance over wireless networks and fail to even address the reliability required to remain productive.

As an alternative to IPSec, SSL VPNs are initiated through a web browser to provide clientless access to applications over a single network connection. SSL VPNs are a low-cost solution for web-enabled applications, but become increasingly complex when used with standard client-server applications that require non-standard SSL client software to function properly. This makes SSL inappropriate for environments that require access to home-grown or non-web-based applications. SSL also adds large amounts of overhead to packets which is especially problematic over wireless networks when running multiple applications.

Both IPSec and SSL VPNs utilize a static IP address to identify the endpoint device—an architecture that works well when used over wired connection or with a stationary endpoint. Maintaining this static IP address when the device is mobilized and connecting over a wireless network, though, is much more difficult. A gap in coverage or suspending a device will typically drop the VPN session and require the user to log back in and restart applications.

The newest remote access category, Mobile VPN, was designed for the mobile worker and to address the challenges associated with wireless networks and mobility. Mobile VPNs, much like traditional VPNs, integrate standards-based authentication and encryption, and provide single sign-on authentication. The Mobile VPN architecture is based on virtual IP addresses rather than physical ones. Virtual IP addresses allow users to maintain their VPN connection or “tunnel” as well as allowing their application sessions to persist as their device roams between wired and wireless IP-based networks. Some Mobile VPN solutions provide this seamless, uninterruptible user experience even through coverage gaps and suspend/resume cycles. Mobile VPNs also provide excellent application compatibility and work well on non-browser-based and even home grown applications—without requiring additional configuration or upgrades. And, Mobile VPNs typically utilize the more efficient UDP protocol that minimizes overhead and optimizes performance over wireless networks.  Rather than degrade network performance, Mobile VPNs typically provide both protocol optimizations as well as various forms of compression to accelerate the wireless connection, often providing apparent throughput that exceeds the network’s native performance capabilities.  And Mobile VPNs become even more efficient as more network applications are used.

Furthermore, leading Mobile VPNs combine the best IPSec and SSL policy management approaches for even greater flexibility and control. For example, IT managers can regulate access at the application level (like SSL VPNs) as well as by port and protocol (like IPSec VPNs). Some go a step further by permitting or denying access to a specific application by a user or a user group with defined network conditions such as the network being used. Administrators can create policies to prevent the use of high-bandwidth applications over low-speed connections or to ensure confidential data is not accessed over a public wireless WAN, but permit access as soon as the user switches to an enterprise Wi-Fi access point.

The Mobile VPN enables mobile workers to roam across wireless networks, traverse dead spots in coverage and even suspend and resume their devices, all without losing data or logging in again. This freedom and flexibility means that employees can serve customers anywhere, using all types of wireless Internet connection, be they cellular-based data services, wireless hotspots in cafes or airport terminals, dial-up connections, corporate wireless networks or even conventional wired LANs.

Implementing a Mobile VPN equips Network Administrators with the capability to extend device management and data communications security policy to mobile devices connecting to wireless networks – even those public wireless networks which they do not own or control.