We have a few users that are always out of the office, and sometimes they need to connect back to our office to access a Web application on the intranet.
We are thinking of letting these users access the application on a PDA going through a GPRS network back to our office. Here is the flow: PDA-> User key in the Web address of intranet application -> GPRS network -> our DMZ reverse proxy server -> intranet application.
What is the best way to implement the security aspects of this type of setup?
All wireless access introduces security risk. As a minimum, you would want to be sure that your GPRS-capable PDA and your proxy server support IPsec. You need to have a VPN connection to ensure that none of your sensitive intranet information is sent in plain text. There also needs to be some access control to the application. Perhaps that is already done by your reverse proxy server, but you didn't specify. The VPN connection can be used to protect the sequence used to authenticate the remote user to the application.
As with any remote access, consider the risk of a PDA (or laptop) falling into the wrong hands. Authentication information should not be stored on that PDA. If sensitive information is sent from the intranet to the PDA, consider some form of data encryption to protect the information while it is stored on the PDA. Again, the decryption key needed should not be stored on or with the PDA.
For more information on this topic, check out these SearchSecurity.com resources:
This was first published in August 2003