Safe computing in the mobile age: a fresh look at SSL and IPsec for a workforce on the go, Part 1
By Cameron Laird
The right security policies and practices in yourorganization are entirely different from just a couple of years ago. Until recently, your greatest challenge in network design might have been how to configure subnets to accommodate a branch office. Now, a majority of your users are likely at some point in their work-weeks to access resources remotely. There’s more: many of them are essentially on the go continuously, with no fixed access point at all. You can’t just secure a small number of widely dispersed computing resources and all the communications between them. You must now keep everything safe, however connected or disconnected it is, and however far it roams outside the protection of your secured wiring. How does mobility change the rules you've learned? Is there any way to protect your organization short of blocking all the tablets, handsets, and other mobiles clamoring for access? Do the differences among VPN offerings matter enough to be worth your time to research?
Yes. A well-designed virtual private network (VPN) solution still has an important part to play in an overall security plan, mobility just amplifies the challenge. Success is possible, though, with a trustworthy, sustainable solution. Let's look at what it takes.
Mobility: The good, the bad, and the confused
Do you send data far enough that part of the path is outside your organization? You almost certainly do if you have:
- anyone working from home;
- a conference center across the street;
- satellite offices; and
- a dedicated datacenter servicing point-of-sale or manufacturing locations
And that’s just a few examples. In all these cases, your data travels over circuits or connections outside your control.
must have a solution which encrypts the data in transit at least over the span of the "outside" path. While at least a half-dozen different cryptographic tunneling protocols have been used commercially to encrypt network communications, SSL/TLS (Secure So
- installation-free deployment: employees only need SSL-capable browsers, and don't have to install any other software to use from tablets, netbooks, telephone handsets, and so on; and
- the orientation of SSL/TLS to browsers ensures a minimum of firewall and network-address translation (NAT) difficulties.
SSL/TLS also has a good record in regard to control and compliance: typical SSL/TLS configurations can readily restrict access based on server or client address, through multiple methods of user authentication, and provide full auditing capabilities for recording any access that takes place.
Mobile endpoints are relatively transient. They're lost, misplaced, stolen, and damaged far, far more often than their more sedentary endpoint relatives. It makes sense to minimize the cost of bringing a new device onto the VPN, as SSL VPNs do with their "installation-free" browser-based access.
Browser-based access doesn't answer all questions, though. Most immediately, browsers don't conveniently reach all resources. Microsoft Outlook, for example, is among the most crucial applications for many, many remote employees; while there are Web-based versions of Outlook, they're widely viewed as inconvenient and inferior. Moreover, as Joerg Hirschmann, CTO of NCP Secure Communications, emphasizes, many applications operate on ports other than HTTP and HTTPS, and thus don't pass through firewalls, NAT, or many of the WiFi "hot spots" at hotels and other public sites where remote connections are made.