Protecting Road Warriors: Managing Security for Mobile Users (Part One)
by Bob Rudis
Managing security within the confines of an organization or enterprise is a difficult job. Worms, viruses, spam, malware, port scans and perimeter defense probes are constant threats. Servers and desktop systems require regular patching and monitoring, and IDS signatures and firewall rules are under constant review and tweaking. Thankfully, the desktops and servers sit well protected within the confines of your network. Imagine what it would be like if every user's system was located on your network perimeter and had none of the safeguards your multi-layered security systems provide.
Unfortunately, you most likely have such systems: your mobile users. Whether it's your sales force, world-traveling executives or just a user "working from home," these people are separated from all of your inner defenses and are at the mercy of their surroundings. You need a strategy to ensure their systems and their data is as safe on the road as they are in your own borders.
A layered defense
The best way to safeguard the mobile user is to use the same approach as you would when securing your network: use layers. You have to worry about the physical system security, network security and data security - it just so happens that it's all in one, compact, portable package: convenient for the attackers, not so convenient for those who need to manage those systems.
Your first concern is protecting the physical asset, which is most likely a laptop or notebook computer. To do that, you should give Josh Ryder's article on Laptop Security [ref 1] a good read. He has advice on keeping the laptop safe from theft and also on basic security measures, such as BIOS passwords. This step is akin to putting locks on the doors to your buildings.
Once you've secured the physical device, you need to switch gears and look at the other areas to secure: network, application/operating system and data.
Mobile network security in a connected world
Even when your users are mobile, they expect to be able to check e-mail, exchange files and have web access on-the-go. In the past, this would have probably meant dialing into the corporate network remote access service via modem or using a direct ISDN connection. Security was "easy" in those days. Now, most organizations find that it is much more cost effective to let companies like iPass [ref 2] manage the connections - which are usually dial-up, broadband or WLAN Internet hookups - and provide access to corporate systems and data in some other fashion (e.g. SSl/VPN). If you don't have a unified access provider like iPass, users can still take advantage of solutions from services such as Boingo Wireless [ref 3] & T-Mobile [ref 4] and mobile campgrounds in hotels, Starbucks and Borders to make that first connection to the Internet. And that's where the trouble begins: you have a workstation (most likely running a flavor of Microsoft Windows) directly on the Internet, ready to be attacked by every worm, virus and hacker that is plaguing the network address block they were assigned to. Your internal systems are protected by one or more firewalls and that's exactly what is needed here: a personal, mobile firewall.
Starting with Windows 2000 and continuing with Windows XP, Microsoft has included a basic firewall with every system that is capable of performing the most important task required of a firewall: keeping the bad packets out. However, there are limitations when using the built-in firewall. Users have to really know what they're doing if they want to do anything beyond blocking all incoming packets. Furthermore, there is no decent GUI to manage the configuration, no built-in reporting tool to examine logs and troubleshoot problems and there is no easy way to deal with users who go back and forth from the road to the office (NOTE: it is easier with XP to create GPO/domain-based rules, but it still is not straightforward).
Ideally, the mobile user shouldn't have to know about firewalls at all. They want their mobile experience to be the same as it is on the inside: plug it in and work. Desktop administrators would also prefer that the users not know about the firewall at all, or at least not be able to modify the configurations. There are quite a few personal/desktop firewall products to choose from. Traditional network firewalls employ various methods to allow or deny network access and have strengths and weaknesses in various areas, especially depending on the type of firewall. Desktop/personal firewalls are no different. Here are some elements you should look for:
Stateful packet filtering
Robust protocol support
Intrusion detection/prevention (IDS/IPS)
Management and monitoring
Is there a way to deploy the firewall using either your existing software deployment frameworks (e.g. SMS, Altiris) or a built-in system? Can the updates/installs be performed transparently to the user? Is the firewall itself a visible component to the end-user or does it have visible status indicators and configuration screens? If necessary, can the firewall be disabled easily (handy for troubleshooting problems).
Can the firewall and or IDS/IPS components be configured to periodically or constantly send logging information to the management systems? Does the management system have a robust reporting framework and can that reporting system be integrated with other operations systems you currently have?
How often does the vendor patch the firewall code (this is important since it may require system reboots and cause support issues for your workers in the field)?
Another important factor to consider is whether the firewall has a way to talk to other security products and whether or not it is part of a complete suite of products available from a particular vendor. Choosing a product that either interacts well with others or has counterparts of it's own within a product family usually provides security administrators with more robust control over security in their environment. Selecting a desktop firewall that integrates well with third party products may enable you to use a best-of-breed philosophy when choosing any type of security product. You may, however, subscribe to the one-vendor approach and try to take advantage of reduced administrative load by selecting a firewall that uses the same management framework as the rest of your security tools.
Finally, you would ideally want to be able to configure it so that the firewall must be active and the proper ruleset enabled before Internet access is allowed. iPass and other access providers have APIs that support these type of checks and it may be important enough for you to make this a primary checklist item during your evaluation.
Whatever your choice, it is important to have a robust firewall/IDS/IPS as your first layer of mobile defense.
Bringing out the HASMAT Team
If a well-configured/managed firewall is your first line of defense, a regularly updated virus scanner should be your second-line of defense. Even the best firewalls can't completely prevent users from allowing their systems to be the target of a virus/worm attack. Anti-virus systems provide this coverage, but only if they have the latest virus signatures and engine.
When systems are connected directly to your network 24x7, it is pretty straightforward to keep them updated. Mobile systems are a bit more challenging. Your users may not even have network connectivity for days or weeks at a time. Even when they do connect, they may not connect to your network or external management systems at all (the Internet access may be all that they need). You also cannot expect or rely on users to manually update their systems.
When they do connect to the Internet, the virus and worm propagators are just as eager to infect them as you are to have them protected. How do you ensure their virus engines and signatures are as current as possible? Here are some points to look for when selecting an anti-virus product:
Type of scanning
Signature (DAT) and engine updates
Management and monitoring
Is the AV software part of a suite of products or a lone best-of-breed product? Can it be installed and managed via existing support mechanisms (e.g. SMS/Altiris) or does it only work within its own management framework? Is the AV program transparent to the user or can the user view status and configuration screens for the product? Can the anti-virus program be disabled by the user for troubleshooting problems?
Concluding part one
Firewall/IDS/IPS and anti-virus systems provide the first two fundamental layers of security. Part two in this series completes the remote access security discussion and focuses on the protecting the valuable, mobile data.
Comments and/or reprint requests can be sent to the editor.
This article originally appeared on SecurityFocus.com -- reproduction in whole or in part is not allowed without expressed written consent.