Yankee Group estimates that more than half of these phones are purchased by prosumers – professional consumers that buy and use new technology for business. Without IT administration or safeguards, a lost, stolen or hacked smartphone may therefore result in business data theft or network penetration. In this tip, let's examine available measures that lock down corporate network access from Windows Mobile smartphones.
Like laptops, Windows Mobile devices run Microsoft applications, including Internet Explorer, Outlook and Office. But mobile versions are stripped down to fit CPU, memory, display and I/O limitations. On PDAs, for example, Windows Mobile 5.0 for Pocket PC and Windows Mobile 6 Classic can be used to create and edit "Pocket" Word and Excel files. However, on smaller phones without touch screens, Windows Mobile 5.0 for Smartphone and Windows Mobile 6 Standard can only display Office files received as email attachments, etc.
These environmental differences mean that none of the security programs deployed on Windows laptops run as-is on Windows Mobile. Furthermore, programs ported to Windows Mobile PDAs do not necessarily run on smartphones. When smartphones are used for business communication, this security gap needs to be filled by using remote access products that actually support this challenging platform.
You might be surprised to learn that Windows Mobile ships with embedded PPTP and L2TP-over-IPsec clients, which allow the extension of private tunnels over the Internet. Some SMBs use PPTP VPNs, but enterprises prefer IPsec. The Windows Mobile client supports IPsec with pre-shared secrets or certificates, but loading a certificate onto a smartphone isn't easy. Parameters are limited and central administration absent. As a result, few enterprises use this embedded client.
Add-on Windows Mobile IPsec clients like Bluefire Mobile VPN, NCP Secure Entry CE, and AnthaVPN are also available. Such clients are more configurable -- which improves interoperability -- and may be administered via mobile device managers. To better compete in this market, Microsoft recently announced its own Microsoft System Center Mobile Device Manager. Available mid-2008, MSC MDM will support over-the-air provisioning and software deployment for next-generation Windows Mobile devices.
Of course, many enterprises have shifted remote workers onto browser-based VPNs, usually SSL VPNs. SSL VPNs are another option for Windows Mobile, but there are several caveats. For example, temporary (aka dissolvable) SSL VPN clients that are implemented as ActiveX controls or Win32 programs cannot run on Windows Mobile. Web browser real estate -- and therefore usability -- is extremely limited by display size.
SSL VPNs like SonicWall's Aventail Connect Mobile, F5 FirePass, and Check Point SecureClient Mobile are designed to run on Windows Mobile PDAs (and sometimes smartphones). SSL VPNs have multiple modes of operation, ranging from basic browser access to port forwarding to client-based tunneling. Because mode impacts client dependencies and applications, choose an SSL VPN that supports not only Windows Mobile, but also your target applications.
Laptops tend to stay in one physical location while online, but smartphones often do not. Mobile VPN products cater to nomadic users that roam among WLANs and WWANs and dead spots – transitions that break IPsec tunnels.
To stay on the network without interruption, mobile VPNs rely on installed client software and specialized VPN gateways. Mature mobile VPN products that currently support Windows Mobile PDAs and smartphones include Columbitech CT Secure Smartphone, Ecutel IPRoam, IBM Lotus Mobile Connect, and NetMotion Mobility XE. According to Microsoft, next year's MSC Mobile Device Manager 2008 will also serve as a mobile VPN gateway.
Traditional VPNs, mobile VPNs and tunnel-mode SSL VPNs can deliver mobile access to many different applications and prevent over-the-air data leakage. However, some mobile users need only one or two business applications secured, which can be done without a full-blown virtual private network.
Communication between Pocket Outlook and Microsoft Exchange, for example, can be encrypted by sending POP and SMTP over TLS, and in Windows Mobile 6, individual messages can be protected with S/MIME. To secure push-based mail using IT-administered policies, see Microsoft's Messaging and Security Feature Pack for Windows Mobile 5.0.
The Messaging and Security Feature Pack and Microsoft System Center Mobile Device Manager are Microsoft's answer to the BlackBerry Enterprise Server (BES). BES enables secure over-the-air messaging between BlackBerry handhelds and enterprise servers, including Exchange. However, products like Motorola Good Mobile Messaging and Nokia Intellisync Wireless Email already provide BES-like capabilities for Windows and other mobile devices. Mobile messaging servers let companies focus more specifically on locking down mobile email, contact and calendar synchronization as a first step, addressing other applications at a later time.
Complete the picture
Securing smartphone network/application access addresses only part of the business risk. Whether focusing on a single application or VPN tunnels, it's important to lock down the devices themselves.
Always use authentication and encryption to prevent unauthorized access to the smartphone, its stored data and its network connectivity. Leverage corporate network safeguards like firewalls, IPS and NAC to keep an eye on smartphone-generated traffic. They may be small, but smartphones are still Internet-connected computers – don't let them rip a loophole in your company's defenses.
About the author:
Lisa Phifer is vice president of Core Competence Inc. She has been involved in the design, implementation and evaluation of networking, security and management products for more than 25 years, and has advised companies large and small regarding security needs, product assessment, and the use of emerging technologies and best practices.
This was first published in November 2007