Secure your mobile road warriors: VPN choices or managed security providers are options to ensure network integrity.
Regardless of whether IT decides to manage security tools in-house or chooses to outsource management, there are several basic questions that need to be addressed before the deployment and implementation of a remote-access security strategy.
First, assess if employees' needs are restricted to a narrow set of applications such as e-mail and intranet Web use, or if they have broader requirements. What type of VPN solution will provide the best balance of security, application access and cost? Internet protocol security (IPSec), secure socket layer (SSL) and other virtual private network (VPN) solutions all have their own pros and cons. Will you need a single product or a blended solution?
Determine what minimal set of security solutions is required to protect your network from user access outside the corporate firewall. How should you enforce and integrate corporate security services-such as antivirus, personal firewall and patch management--on mobile worker PCs?
Decide whether custom building security capabilities or outsourcing is best. Given the inherent complexities and sensitivities around supporting mobile workers, companies have to evaluate the different strategies for designing, deploying and supporting these solutions.
The VPN plays a crucial role in securing data transmitted between the remote user and the corporate network, as traveling users now expect all the resources and functionality available in their office will also be available to them when sitting in an airport, hotel room or coffee shop. The choice of VPN solution will dictate how much power is extended to these remote end points.
The choice of how to extend application access beyond the borders of the network has become more complex recently with the widespread availability of SSL-based VPNs. The real consideration when choosing between an SSL- or IPSec-based VPN is the type of application that users will typically utilize. While application demand varies from company to company, there are generally some common applications that most road warriors will require.
SSL-based VPNs generally offer the simplest and quickest VPN deployment. As a clientless solution, they typically offer less flexibility than their IPSec counterparts. By pointing all remote users to a Web site and having them log in, a limited set of applications will be available through the site without needing to load any special software on the remote PC.
SSL VPNs open up new security holes in that they can be accessed from almost any Internet-enabled PC in the world. These machines should always be considered inherently insecure, since they are not under the control of the corporate IT department. Numerous hacker tools, including key stroke loggers, can reveal user names and passwords without the end-users' knowledge. Some newer SSL implementations attempt to counter this by dynamically downloading and installing end-point security patches that protect the active session, while remaining transparent to the end-user.
SSL VPNs allow the corporation to deploy simple applications, such as e-mail, intranet Web applications or file sharing quickly and with minimal deployment cost. Prior to SSL deployments, ensure that critical applications are going to be accessible using this new method.
Alternatively, IPSec VPNs offer a flexible solution for corporations with more complex or custom applications. Most applications can be accessed in the traditional method by deploying an IPsec client to the mobile workforce, and training employees to initiate the connection back to corporate. Since IPSec VPNs are traditionally executed from corporate assets, security is enforceable end-to-end.
Several layers of security are necessary for true end-to-end protection. By integrating the connectivity, VPN and security packages for end-point security can be deployed in a layered and co-operative manner, with each layer checking and relying upon the others. Additionally, any mobile security solution needs to be technology and access agnostic, and able to function and secure over the most vulnerable connectivity.
Some security-solution providers offer features that verify that an unsecured connection can be secured by checking and enforcing that the VPN connection is loaded and connected. In this case, if the VPN connection is disconnected, then the underlying Internet access can also be terminated. Integration of each of these security layers ensures that the end-user is always protected and is not able to surf the Internet without the protection and logging that the corporate network provides.
The VPN client can also be tied to a personal firewall service, which not only protects the end point from probing hackers, but also can enforce the latest system and software updates. After the VPN is established, the personal firewall will connect to an enforcement server and verify that the latest antivirus and spyware signatures, firewall policies, and operating system patches are installed, loaded and functioning. In the event that the latest is not installed, the user is placed in a walled garden and presented with a simple Web page offering updates. Once the missing updates are installed and verified, then regular network connectivity will continue.
This level of granularity helps ensure that mobile end points do not become a risk to the network. Deployment of additional security measures, however, should not impair the end worker. By using a one-click integration of all these applications, employees will only need a single authentication method, such as passwords, to enable a comprehensive and secure connection back to the corporate network.
Many companies are choosing to outsource this changing part of the network. Solutions from managed service providers offer products that allow the IT staff to define and monitor the deployments, but leave the tasks of installation and ongoing management to dedicated staffs of engineers.
These same outsourcing companies can offer solutions that are housed inside the corporate data center, or can host and manage the solutions external to the customer. By housing internally, IT departments maintain more control of the solution, and can have it delivered utilizing current data center facilities and bandwidth. For smaller corporations, a solution can be hosted in high-availability data centers offered and controlled by the managed network provider.
For more information from Megapath Networks: www.rsleads.com/408cn-259 For more information from iPass: www.rsleads.com/408cn-260
Philip Simpson is senior sales engineer at MegaPath Networks, Pleasonton, Calif., and Jon Russo is vice president of marketing at iPass, Redwood Shores, Calif.
|Printer friendly Cite/link Email Feedback|
|Title Annotation:||Mobile Computing|
|Author:||Simpson, Philip; Russo, Jon|
|Date:||Aug 1, 2004|
|Previous Article:||Test parameters for VoWLAN.|
|Next Article:||Wi-Fi, 'down under' style: university's construction makes a case for a different type of access-point architecture.|