Secure remote access: Closing the Windows Mobile Smartphone loophole

Yankee Group estimates that more than half of these phones are purchased by prosumers – professional consumers that buy and use new technology for business. Without IT administration or safeguards, a lost, stolen or hacked smartphone may therefore result in business data theft or network penetration. In this tip, let's examine available measures that lock down corporate network access from Windows Mobile smartphones.

Join us on November 28th Join us for our secure remote access live webcast featuring Lisa Phifier on Wednesday, Nov. 28th, 2007 at 12:00 noon ET. Lisa will answer your questions about mobile device security and remote access options. Reserve your spot today!

Same name, different game
Like laptops, Windows Mobile devices run Microsoft applications, including Internet Explorer, Outlook and Office. But mobile versions are stripped down to fit CPU, memory, display and I/O limitations. On PDAs, for example, Windows Mobile 5.0 for Pocket PC and Windows Mobile 6 Classic can be used to create and edit "Pocket" Word and Excel files. However, on smaller phones without touch screens, Windows Mobile 5.0 for Smartphone and Windows Mobile 6 Standard can only display Office files received as email attachments, etc.

These environmental differences mean that none of the security programs deployed on Windows laptops run as-is on Windows Mobile. Furthermore, programs ported to Windows Mobile PDAs do not necessarily run on smartphones. When smartphones are used for business communication, this security gap needs to be filled by using remote access products that actually support this challenging platform.

Traditional VPNs
You might be surprised to learn that Windows Mobile ships with embedded PPTP and L2TP-over-IPsec clients, which allow the extension of private tunnels over the Internet. Some SMBs use PPTP VPNs, but enterprises prefer IPsec. The Windows Mobile client supports IPsec with pre-shared secrets or certificates, but loading a certificate onto a smartphone isn't easy. Parameters are limited and central administration absent. As a result, few enterprises use this embedded client.

Add-on Windows Mobile IPsec clients like Bluefire Mobile VPN, NCP Secure Entry CE, and AnthaVPN are also available. Such clients are more configurable -- which improves interoperability -- and may be administered via mobile device managers. To better compete in this market, Microsoft recently announced its own Microsoft System Center Mobile Device Manager. Available mid-2008, MSC MDM will support over-the-air provisioning and software deployment for next-generation Windows Mobile devices.

SSL VPNs
Of course, many enterprises have shifted remote workers onto browser-based VPNs, usually SSL VPNs. SSL VPNs are another option for Windows Mobile, but there are several caveats. For example, temporary (aka dissolvable) SSL VPN clients that are implemented as ActiveX controls or Win32 programs cannot run on Windows Mobile. Web browser real estate -- and therefore usability -- is extremely limited by display size.

SSL VPNs like SonicWall's Aventail Connect Mobile, F5 FirePass, and Check Point SecureClient Mobile are designed to run on Windows Mobile PDAs (and sometimes smartphones). SSL VPNs have multiple modes of operation, ranging from basic browser access to port forwarding to client-based tunneling. Because mode impacts client dependencies and applications, choose an SSL VPN that supports not only Windows Mobile, but also your target applications.

For more information Lisa Phifer explains which enterprise policies can reduce mobile security risks. Ask the Expert: What are common kinds of mobile spyware? Check out our Security School lesson: Essential practices for securing mobile devices.

Mobile VPNs
Laptops tend to stay in one physical location while online, but smartphones often do not. Mobile VPN products cater to nomadic users that roam among WLANs and WWANs and dead spots – transitions that break IPsec tunnels.

To stay on the network without interruption, mobile VPNs rely on installed client software and specialized VPN gateways. Mature mobile VPN products that currently support Windows Mobile PDAs and smartphones include Columbitech CT Secure Smartphone, Ecutel IPRoam, IBM Lotus Mobile Connect, and NetMotion Mobility XE. According to Microsoft, next year's MSC Mobile Device Manager 2008 will also serve as a mobile VPN gateway.

VPN alternatives
Traditional VPNs, mobile VPNs and tunnel-mode SSL VPNs can deliver mobile access to many different applications and prevent over-the-air data leakage. However, some mobile users need only one or two business applications secured, which can be done without a full-blown virtual private network.

Communication between Pocket Outlook and Microsoft Exchange, for example, can be encrypted by sending POP and SMTP over TLS, and in Windows Mobile 6, individual messages can be protected with S/MIME. To secure push-based mail using IT-administered policies, see Microsoft's Messaging and Security Feature Pack for Windows Mobile 5.0.

The Messaging and Security Feature Pack and Microsoft System Center Mobile Device Manager are Microsoft's answer to the BlackBerry Enterprise Server (BES). BES enables secure over-the-air messaging between BlackBerry handhelds and enterprise servers, including Exchange. However, products like Motorola Good Mobile Messaging and Nokia Intellisync Wireless Email already provide BES-like capabilities for Windows and other mobile devices. Mobile messaging servers let companies focus more specifically on locking down mobile email, contact and calendar synchronization as a first step, addressing other applications at a later time.

Complete the picture
Securing smartphone network/application access addresses only part of the business risk. Whether focusing on a single application or VPN tunnels, it's important to lock down the devices themselves.

Always use authentication and encryption to prevent unauthorized access to the smartphone, its stored data and its network connectivity. Leverage corporate network safeguards like firewalls, IPS and NAC to keep an eye on smartphone-generated traffic. They may be small, but smartphones are still Internet-connected computers – don't let them rip a loophole in your company's defenses.

About the author:
Lisa Phifer is vice president of Core Competence Inc. She has been involved in the design, implementation and evaluation of networking, security and management products for more than 25 years, and has advised companies large and small regarding security needs, product assessment, and the use of emerging technologies and best practices.

Rate this Tip To rate tips, you must be a member of SearchSecurity.com. Register now to start rating these tips. Log in if you are already a member. Digg This!     StumbleUpon     Del.icio.us    RELATED CONTENT Network Security Tactics How to patch Kaminsky's DNS vulnerability Directory services and beyond: The future of LDAP Screencast: Catching network traffic with Wireshark Enterprise role management: Trends and best practices Using Nessus Attack Scripting Language (NASL) to find application vulnerabilities Screencast: Recovering lost data with WinHex How to build security into a virtualized server environment How to install and configure Nessus How to run a Nessus system scan Nessus: Vulnerability scanning in the enterprise Handheld and Mobile Device Security Smartphones opening up enterprise risks BlackBerry server faced with critical zero-day Does the iPhone SDK effectively increase the risk iPhones pose? Has proof-of-concept mobile device malware translated into any meaningful attacks? Product review: Credant Mobile Guardian 6.0 Recently I found my computer's serial number had been reported stolen. Will I face legal repercussions? Should enterprises implement a mandatory iPhone VPN? Should iPhone email be sent without SSL encryption? Employee-owned handhelds: Security and network policy considerations How secure is a mobile phone platform that has an open source framework? Handheld and Mobile Device Security Research SSL The Shortcut Guide to Extended Validation SSL Certificates Product review: Array Networks SPX2000 How to test the security of personal details submitted to a website Should enterprises implement a mandatory iPhone VPN? Should iPhone email be sent without SSL encryption? How to secure an FTP connection Can Trojans and other malware exploit split-tunnel VPNs to infiltrate a network? What are the risks of connecting a Web service to an external system via SSL? What is the most secure way for application developers to manage cookies? For a small office, what are the best, least expensive office servers with secure access? RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary SSL VPN  (SearchSecurity.com) RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.