I was interviewed on the topic of Mobile, Wireless, and Security several times this year however only a portion typically makes it to print so I'm blogging about it.
I encourage you to share your experiences here or send me an e-mail at firstname.lastname@example.org, Thank you from Stephen Ibaraki, I.S.P., DF/NPA, CNP
This is a four-part blog series:
Part 1/4: The Major Move to Mobile and Wireless: are you prepared?
Part 2/4: The Value of Security for Mobile/Wireless
Part 3/4: Managing Mobile and Wireless Security Effectively
Part 4/4: 5 Essential Tips for Mobile and Wireless Computing
There are many possible solutions. For example, to protect laptops, a business can encrypt the laptop hard disk data using encryption features native to Windows operating systems. To control access to hard drives and manage internet access, a Virtual Machine (VM) environment can be implemented. This creates a controlled, secure, policy managed virtual machine environment on the laptop or mobile computer. The VM is created by the business and can be implemented quickly on mobile computers. Also, if the computer becomes corrupted, it's quick and easy to re-implement the managed system using VM technology. The VM environment also provides a controlled environment to prevent problems coming from home use or accessing the business network using a VPN.
There should also be guidelines; access, network, and security policies in place. There are so many I include only a few here:
- Only trusted employees are allowed access.
- Access should be restricted to the specific role [job] occupied by the employee. As an example, a front-end desk person should not have access to accounting data.
- Access times must be restricted. As one example, an evening worker should only have access in the evenings.
- The standard network access rules apply such as complex passwords that expire frequently.
- Abnormal activity must be monitored, analyzed and alerts made. For example, a help-desk person who works only day shifts should not have activity showing at 3am. You should also monitor for unauthorized devices attempting access. You need to be alerted immediately and steps taken to prevent further access. And, you should monitor for unauthorized wireless access points or mobile devices on the network and shut them down immediately. There must be well-defined policies in place for these kinds of devices and how they should be handled.
- There must be physical boundaries to access; limits put into place restricting access outside the physical business boundaries. Signal power levels could be reduced near boundary areas to restrict the extent of wireless broadcast. Directional antennas could be tried to restrict the signal spread.
- For companies who have 802.11x (a, b, g as examples) networks, it's good to implement 802.11i for authentication and encryption, 802.11d for better roaming access, and 802.11e for quality of service improvements. Companies should monitor the future of 802.11n and Wi-Max or 802.16. Also using more than four channels presents problems with interference and channel management as does configuring all your access points to the same channel. For example, in 802.11b/g, you have 11 channels to use. Don't use the same channels for all your wireless access points or traffic from all the computers goes through all the access points slowing down the network due to duplicated traffic. Also with adjoining coverage wireless access points, assign widely separated channel numbers to reduce interference. In addition, monitor traffic to balance the load amongst wireless access points by shutting down access points or reducing power levels of access points. You would also design for overlap in coverage areas so no spot is without a signal.
- Use the same management software to manage both the wired and wireless networks.
- As much as possible, keep sensitive data on secured host resources and not on wireless or mobile devices.
- Don't allow un-managed personal devices into the network; allow only managed, authorized, business-use only devices.
- Don't allow un-managed personal devices to have Virtual Private Network (VPN), remote access to the business network (such as from home). Allow only managed, authorized, business-use only devices.
- Secure mobile computers and their hard drives off-site by employing solutions such as Virtual Machine software, encryption, complex passwords, managed business image (environment) on the computers, and so on.
- Restrict, authenticate, encrypt wireless access using the latest protocols such as 802.11i. WEP (Wired Equivalent Privacy) is commonplace but suffers from the fact that the keys are shared by everyone one the network and have to be changed manually. If WEP is used then a policy has to be in place to rotate the keys used. WPA (Wi-Fi Protected Access) uses keys that dynamically rotate but the keys have to be deployed manually. AES (Advanced Encryption Standard) is a newer encryption standard but requires good guidelines to make it work. Allow only access to registered devices - that is their MAC addresses are registered and only they are allowed access to the business network. Be mindful that newer standards such as AES which is supported by 802.11i likely requires a hardware upgrade. You also have to examine your existing way of doing things. For example, if you are using 802.1x for authenticating your employees now, then it's easier to implement 802.11i.
- Educate users on accessing the internet through public hotspots and the dangers of evil twin hotspots.