Protecting Road Warriors: Managing Security for Mobile Users (Part One)

Managing security within the confines of an organization or enterprise is a difficult job. Worms, viruses, spam, malware, port scans and perimeter defense probes are constant threats. Servers and desktop systems require regular patching and monitoring, and IDS signatures and firewall rules are under constant review and tweaking. Thankfully, the desktops and servers sit well protected within the confines of your network. Imagine what it would be like if every user's system was located on your network perimeter and had none of the safeguards your multi-layered security systems provide.

Unfortunately, you most likely have such systems: your mobile users. Whether it's your sales force, world-traveling executives or just a user "working from home," these people are separated from all of your inner defenses and are at the mercy of their surroundings. You need a strategy to ensure their systems and their data is as safe on the road as they are in your own borders.

A layered defense

The best way to safeguard the mobile user is to use the same approach as you would when securing your network: use layers. You have to worry about the physical system security, network security and data security - it just so happens that it's all in one, compact, portable package: convenient for the attackers, not so convenient for those who need to manage those systems.

Your first concern is protecting the physical asset, which is most likely a laptop or notebook computer. To do that, you should give Josh Ryder's article on Laptop Security [ref 1] a good read. He has advice on keeping the laptop safe from theft and also on basic security measures, such as BIOS passwords. This step is akin to putting locks on the doors to your buildings.

Once you've secured the physical device, you need to switch gears and look at the other areas to secure: network, application/operating system and data.

Mobile network security in a connected world

Even when your users are mobile, they expect to be able to check e-mail, exchange files and have web access on-the-go. In the past, this would have probably meant dialing into the corporate network remote access service via modem or using a direct ISDN connection. Security was "easy" in those days. Now, most organizations find that it is much more cost effective to let companies like iPass [ref 2] manage the connections - which are usually dial-up, broadband or WLAN Internet hookups - and provide access to corporate systems and data in some other fashion (e.g. SSl/VPN). If you don't have a unified access provider like iPass, users can still take advantage of solutions from services such as Boingo Wireless [ref 3] & T-Mobile [ref 4] and mobile campgrounds in hotels, Starbucks and Borders to make that first connection to the Internet. And that's where the trouble begins: you have a workstation (most likely running a flavor of Microsoft Windows) directly on the Internet, ready to be attacked by every worm, virus and hacker that is plaguing the network address block they were assigned to. Your internal systems are protected by one or more firewalls and that's exactly what is needed here: a personal, mobile firewall.

Starting with Windows 2000 and continuing with Windows XP, Microsoft has included a basic firewall with every system that is capable of performing the most important task required of a firewall: keeping the bad packets out. However, there are limitations when using the built-in firewall. Users have to really know what they're doing if they want to do anything beyond blocking all incoming packets. Furthermore, there is no decent GUI to manage the configuration, no built-in reporting tool to examine logs and troubleshoot problems and there is no easy way to deal with users who go back and forth from the road to the office (NOTE: it is easier with XP to create GPO/domain-based rules, but it still is not straightforward).

Ideally, the mobile user shouldn't have to know about firewalls at all. They want their mobile experience to be the same as it is on the inside: plug it in and work. Desktop administrators would also prefer that the users not know about the firewall at all, or at least not be able to modify the configurations. There are quite a few personal/desktop firewall products to choose from. Traditional network firewalls employ various methods to allow or deny network access and have strengths and weaknesses in various areas, especially depending on the type of firewall. Desktop/personal firewalls are no different. Here are some elements you should look for:

Stateful packet filtering

Robust protocol support

Application protection

Intrusion detection/prevention (IDS/IPS)

Firewall rules

Management and monitoring

Is there a way to deploy the firewall using either your existing software deployment frameworks (e.g. SMS, Altiris) or a built-in system? Can the updates/installs be performed transparently to the user? Is the firewall itself a visible component to the end-user or does it have visible status indicators and configuration screens? If necessary, can the firewall be disabled easily (handy for troubleshooting problems).

Can the firewall and or IDS/IPS components be configured to periodically or constantly send logging information to the management systems? Does the management system have a robust reporting framework and can that reporting system be integrated with other operations systems you currently have?

How often does the vendor patch the firewall code (this is important since it may require system reboots and cause support issues for your workers in the field)?

Does the firewall have the ability to block incoming ports and protocols but allow full communications if connections were established from the mobile computer? Can the firewall handle troublesome protocols such as FTP cleanly or does it require a great deal of administrative work? What protocols does the firewall support: UDP,TCP, ICMP, etc? Does it handle enough of them to support your current and potential needs? Are there built in definitions for the common services that use those ports or do you need to define those yourself? How quickly does the vendor handle updates when new protocols or services become prevalent? Does the firewall have the capability to determine what applications are and aren't allowed to have access to network resources (preferably defined by an administrative policy)? Can the firewall examine application activity and block access to network resources when it determines that an application has been altered in some way or is exhibiting signs of worm or virus propagation? Is it possible to use the firewall to block applications that violate the security policies of your organization, such as P2P programs (e.g Kazaa, Morpheus, Bittorent) and instant messaging clients? Does the firewall have a cooperative IDS/IPS component that enables automatic blocking of packets that meet well-defined attack signatures? Can this feature be turned off or augmented if necessary in the event it interferes with legitimate network traffic to the mobile workstation? How often does the vendor update the IDS signatures and can you define your own if necessary? Will the IDS/IPS logging features (if any) integrate with your existing security operations consoles? Does the firewall support robust rule configuration with priorities and clear definitions of internal and external components? Can the firewall rules be updated dynamically depending on factors such as network location or whether you are logged in to your company's network? How easy is it to update the firewall rulesets once they are in place? Does the firewall have a means to manage potentially tens of thousands of mobile devices spread across the globe? Is there a tiered management system so that multiple, locally-deployed systems can be used instead of one or two large systems? Can management systems be placed both internally and externally to support management both when your users are inside and outside your network?

Another important factor to consider is whether the firewall has a way to talk to other security products and whether or not it is part of a complete suite of products available from a particular vendor. Choosing a product that either interacts well with others or has counterparts of it's own within a product family usually provides security administrators with more robust control over security in their environment. Selecting a desktop firewall that integrates well with third party products may enable you to use a best-of-breed philosophy when choosing any type of security product. You may, however, subscribe to the one-vendor approach and try to take advantage of reduced administrative load by selecting a firewall that uses the same management framework as the rest of your security tools.

Finally, you would ideally want to be able to configure it so that the firewall must be active and the proper ruleset enabled before Internet access is allowed. iPass and other access providers have APIs that support these type of checks and it may be important enough for you to make this a primary checklist item during your evaluation.

Whatever your choice, it is important to have a robust firewall/IDS/IPS as your first layer of mobile defense.

Bringing out the HASMAT Team

If a well-configured/managed firewall is your first line of defense, a regularly updated virus scanner should be your second-line of defense. Even the best firewalls can't completely prevent users from allowing their systems to be the target of a virus/worm attack. Anti-virus systems provide this coverage, but only if they have the latest virus signatures and engine.

When systems are connected directly to your network 24x7, it is pretty straightforward to keep them updated. Mobile systems are a bit more challenging. Your users may not even have network connectivity for days or weeks at a time. Even when they do connect, they may not connect to your network or external management systems at all (the Internet access may be all that they need). You also cannot expect or rely on users to manually update their systems.

When they do connect to the Internet, the virus and worm propagators are just as eager to infect them as you are to have them protected. How do you ensure their virus engines and signatures are as current as possible? Here are some points to look for when selecting an anti-virus product:

Type of scanning

Signature (DAT) and engine updates

Management and monitoring

Is the AV software part of a suite of products or a lone best-of-breed product? Can it be installed and managed via existing support mechanisms (e.g. SMS/Altiris) or does it only work within its own management framework? Is the AV program transparent to the user or can the user view status and configuration screens for the product? Can the anti-virus program be disabled by the user for troubleshooting problems?

Does the AV tool support scheduled scanning of specified files and directories? Does it support multiple schedules? Does it examine active memory for virus activity? Can it be configured to scan files on open, read, write or close actions? Are the scans intrusive to the user experience (i.e. can it be configured to ensure system performance is not degraded)? Does the scanning engine employ heuristics to catch new infections before they start? How frequently does the vendor update DAT files and engine code? What is the average response time between outbreak and signature update for the past three major virus/worm incidents? Is there a mechanism to enable updates both internally - when the user is connected directly to your network - and externally - when the user is potentially only connected to the Internet? This is potentially a very important point to consider when your users may be on the road more than they are in-house. Similar to the firewall questions, is there a multi-tier management system capability and are there strong logging capabilities in the client? Does it provide robust and open reporting capabilities? How does it handle clients that may only have intermittent connections with the system? Is there a way to integrate a check for working and updated anti-virus programs with services such as iPass?

Concluding part one

Firewall/IDS/IPS and anti-virus systems provide the first two fundamental layers of security. Part two in this series completes the remote access security discussion and focuses on the protecting the valuable, mobile data.