by Alan Zeichick
When you extend your applications to mobile platforms, it's critical that budgets, deployment plans, and policies be managed to ensure that such deployments are made safely and securely.
No doubt you-and your team and customers-have already considered some of these threats. Even so, it is worth reviewing them, to provide a framework for understanding the security implications of extending enterprise applications beyond the firewall.
Watch Out for These Security Threats
Loss/theft of a networking device and its MAC address. Some wireless security schemes are based on authenticating specific network cards, based on their Media Access Control (MAC) address, which is a unique hexadecimal code (like 00-06-25-51-3D-F1, the address of one of your author's test-lab WiFi cards) hard-wired into most Ethernet interfaces. Network administrators can configure switches, routers, and access points to only permit devices with a known MAC address to access the LAN.
While many new PDAs and notebooks, such as those using Intel® Centrino® mobile technology, have the wireless Ethernet circuitry (and associated MAC address) built into the computer, older models use removable WiFi or Ethernet cards which could be stolen or "borrowed." It is also possible to program some Ethernet interfaces with an arbitrary MAC address, so that code is not a truly trustworthy identifier. A security scheme based solely on validating MAC addresses to allow network access could thus be vulnerable to access by an unauthorized PC using a stolen access card.
Interception of wireless signals. It is not terribly difficult for a network expert-or a non-expert working with the right cracking tools-to intercept unencrypted WiFi signals. The significance of such an interception cannot be overstated. Plain-text passwords, access protocols, proprietary data, all could be picked up either by someone casually snooping at traffic at an airport lounge or coffee shop, or by someone deliberately targeting a particularly company with malicious intent.
Imagine the publicly accessible wireless access point closest to your company's offices, perhaps at a city park or a coffee shop. Isn't it likely that someone looking to crack into your company's networks might pick up valuable wireless data by sitting there at lunchtime on a sunny day? If you're not encrypting all wireless data end-to-end-including passwords and session authentication sequences-that information may be compromised.
Loss of digital certificate or other encryption key. Even in situations where encryption is being used, the cryptography key itself may be vulnerable, in a way analogous to someone making an illicit copy of your front-door key or employee security badge. Digital certificates and other secure identifiers are only as safe as the place where your employee stores them. If a WiFi-equipped laptop has file sharing enabled, for example, or if the credentials are stored on removable media that could be borrowed, copied and returned, they could be copied without your employees being the wiser. In fact, if security relies primarily on such keys for single sign-on, the use of digital credentials may lead to a false sense of impregnability.
Compromise of device via viruses, worms or spyware. One need not steal a laptop or tap into a wireless network to leverage confidential information or copy its credentials. Why not use that machine itself as a proxy for infiltrating the enterprise network? Your author's e-mail server and local anti-virus software captures many viruses and worms daily. Sometimes the sender of those malicious programs is an infected computer of a colleague, friend, or coworker. Fortunately, none of those attacks (to the best of my knowledge) was personally directed at my own company's networks. Also, nobody (to the best of my knowledge) has planted a back-door program like Back Orifice, a keystroke logger, a terminal redirector like VNC (http://www.realvnc.com/) or other software on my machines. But if they had, someone could watch me log into a secure server or even execute remote instructions without my knowledge.
Compromise of network via phishing or identify theft. What if someone captured your enterprise's secure login screen, replicated it on one of their servers with scripts to capture all input data, and then sent your employees an e-mail "from the systems administrator" instructing them to login to the bogus site "for security reasons"? Your author sees this type of scam nearly every day with fake messages from PayPal, eBay, Amazon, and other sites requesting that the user provide login/password data to increasingly sophisticated scam sites. Could this tactic work on your employees? While this threat is not specific to wireless or mobile devices, the odds are that it would be less easy to detect, and would be easier to implement, for users who are outside the firewall.
Compromised publicly accessible Web terminals or networks. Your author recently attended a major technology conference, where between sessions, many users were checking corporate e-mail (or surfing the Web) via WiFi, while others were working using dozens of standard PCs set up by the conference organizer. Those PCs were rented from and administered by a local company that caters to the convention crowd.
There would be no way of knowing if a malicious conference attendee planted a keyboard logger, remote screen display or other spyware on one of the shared machines, providing them access to a short-term VPN link, login to a secure corporate Web site or even eavesdropping (and picking up passwords) for a browser-based e-mail system. Also, if a hacker has access to the conference's underlying network architecture, he/she could tap into traffic going from the wireless LAN to the WAN gateway. That's not merely an issue for conference. Given the right target environment (such as the hotel being used for a company's annual shareholder meeting), a hacker could potentially create an environment suitable for capturing your company's proprietary data or piggybacking on secure access by remote users.
Network Security Remedies
Certainly, the reaction to the above threats-and others that you've undoubtedly envisioned-should not be to pull back from mobility. The rewards for using mobile data access to improve business agility and employee productivity are tremendous. However, security issues should be addressed when considering the exposure of any enterprise assets to mobile users, whether through VPNs, secure browser sessions, Web service s, downloadable applets or any other means.
A critical step in secure enterprise mobility planning is using end-to-end encryption using secure means, such as digital certificates, for accessing enterprise networks and enterprise applications. Don't trust the native encryption offered by wireless access points, for example, especially if you don't own or have full administrative control over those access points.
However, don't rely solely on digital certificates or any one authentication method. If possible, use a multilayered approach, which combines some nature of physical ID, such as a MAC address or a dongle from companies like SafeNet (http://www.safenet-inc.com/*), with software-based authentication using certificates and then "information you know" like an often-changing password or other challenge/response. While all methods are potentially vulnerable, their combination may not be. Radius and other authentication servers can also be valuable, but of course, can be compromised if the remote user's machine is hijacked.
To lessen the potential impact of the loss of a mobile device, or the interception of access protocols or back-door hijackings through a VPN, consider adding location-aware access policies and roles. All remote traffic should be consisted suspected, and be monitored by firewalls or intrusion-detection system, of course.
Enterprise mobility is falling to new, uncharted domains within IT departments, and even within ISVs and consulting organizations. Where are the boundaries between security of a local client device and its software application vs. security of a server and it's software? How does one differentiate and control communications paths that span public wired/wireless networks, service providers and enterprise LANs? There are many right answers, but the most important piece of the puzzle is to ask the right questions, and factor that into an architecture. It's my hope that this article has led you to begin consideration of some of those questions.
Taking Advantage of Location Awareness
Critical applications and servers may also benefit from role-based awareness of the client's location, with users designated as "local user" or "mobile user" depending on the security of their network connection. Some sensitive functions or data transfers might be configured to be available only to "local users," that is, trusted devices that are either using an enterprise-controlled WiFi access point or are physically connected to the on-premise Ethernet infrastructure. Also consider the use of Web or Internet proxies to monitor, log and apply policies on remote users.
You may also need to ensure that strong administrative policies are in place on the local device, to ensure, for example, that file sharing is disabled, and that antivirus, intrusion detection, software firewall and other required tools and setting are not only installed, but active and up-to-date with patches. Some remote-access services providers, such as Fiberlink (http://www.fiberlink.com/*) and GoRemote (Now owned by iPass*) can act as proxies for remote access, and their infrastructure can include features for testing and enforcing end-user policies.
In today's climate, it's increasingly the situation that remote devices, such as public-access terminals, PDA, laptops and phones, are not within the company's full control; they may be owned or leased by the employee, and used on the road or while telecommuting. Perhaps the enterprise should extend even less trust to employee-owned mobile equipment, even if corporate software is installed on it.
- Developing and Deploying Trusted Applications
- Software Security in Longhorn with Next Generation Intel® Technology
- Mobile Developer Community
- Enterprise Infrastructure Security Solutions
About the Author
A former mainframe software developer and systems analyst, Alan Zeichick is principal analyst at Camden Associates, an independent technology research firm focusing on networking, storage, and software development.