The VPN Expert: Securing PDA enterprise network access

Read about Lisa

by Lisa Phifer, Core Competence

Ever since the Palm Pilot's debut, administrators have been under fire to support PDAs as an integral part of IT infrastructure. When PDAs were simply portable contact managers, integration meant little more than synchronizing address books and calendars. Many exchanged brief messages using Palm.net or a personal point of presence account. But with limited memory and bandwidth, there was little real demand for remote access to enterprise networks.

Advances in PDA networks and platforms are changing that. Today's PDAs are far more capable: Palm OS platforms start at 8 MB, while Pocket PC 2002 platforms now ship with 64 MB and 206 MHz processors. Wireless WANs based on CDMA (Code-division Multiple Access), GSM (Global System for Mobile communication), GPRS (General Packet Radio Services), or CDPD (Cellular Digital Packet Data) may still be limited to 14.4 or 28.8 Kbps, but PDA analog modems operate at 56 Kbps. CompactFlash slots and PCMCIA jackets enable access to Ethernet LANs, Bluetooth personal area networks, and 802.11b wireless LANs at 1 to 11 Mbps.

As PDAs get more robust and better connected, their role is changing. Increasingly, administrators are challenged to bring PDAs into the IT fold. Doing so safely means hardening PDAs against attack. Unauthorized access to lost or stolen PDAs can be neutralized by power-on passwords and data encryption products like PDA Defense and movianCrypt. But what about privacy, integrity, and authenticity for enterprise network access?

Gateways for roaming PDAs
Because most corporate travelers now carry PDAs, there is growing interest in PDA-based secure WAN access to back-office systems.

Those willing to accept public telephone network privacy may consider a service like RemotePipes VSPOP. Users dial an 800 number to reach a RemotePipes "virtual secure point of presence." IPSec tunnels secure traffic from the VSPOP to the enterprise firewall protecting back-office applications. "We utilize Nortel Shasta and CVX equipment, in conjunction with our expertise and jointly-developed software, to enable any PC, laptop, Palm, or Pocket PC to access corporate networks with no client software," said Doug Bonestroo, CEO.

Those requiring end-to-end (client to server) privacy can "web-enable" enterprise applications, securing them with Secure Sockets Layer (SSL). Traditional websites are often hard to use on small-screen PDAs. Wireless Application Protocol (WAP) gateways can translate HTML/SSL into Wireless Markup Language (WML)/Wireless Transport Layer Security (WTLS) to accommodate small displays -- notably on smartphones. However, WAP requires development per application and introduces a "WAP gap" -- a point of vulnerability at the (usually carrier-operated) gateway.

Another browser-based alternative is to deploy an enterprise SSL gateway like Neoteris Instant Virtual Extranet or uRoam FirePass. FirePass lets PCs, smartphones, Palms, and Pocket PCs tunnel over SSL or WTLS to a FirePass Server -- an appliance deployed near the company's firewall. The uRoam MyDesktop graphical user interface provides PDA-friendly access to Microsoft Outlook, Lotus Notes, and File Manager applications running on a PC in the target network. A "webifyer" can integrate other enterprise applications.

VPNs clients for PDAs
Companies that already use VPN clients to secure teleworker PC and traveler laptop access may prefer a client-based approach for PDAs. Building a consistent, cross-platform solution that secures WAN, wireless LAN, and personal area network access by any device may sound attractive, but is it really feasible?

Microsoft's new Pocket PC 2002 lets PDAs with wired or wireless use Connection Manager to launch the built-in PPTP client, tunneling traffic to a Point-to-Point Tunneling Protocol (PPTP) server. The server can be a PC running NT or Windows 2000 RRAS or a PPTP-enabled Internet appliance or firewall. Because PPTP is comparatively easy to deploy, many small companies use it. Larger enterprises tend to invest in more secure alternatives like IPSec.

After Microsoft's dial-up client, the most widely-used Win32 VPN client today is SafeNet's SoftPK. In December, SafeNet announced SoftRemotePDA, an IPSec client for Palm OS PDAs with CDPD access. According to Maureen Kolb, corporate communications manager, SoftRemotePDA beta testing is still underway. "We recommend an m500 series because it works much faster, but we can also work with the Palm Vx. We've tested with AT&T and Verizon, but will probably work with other [CDPD providers]," said Kolb. While SoftRemotePDA sounds promising, those needing solutions for other OSs or networks must look elsewhere.

Certicom's movianVPN has a broader reach. This IPSec client is available today on Palm OS 3.5+, Handheld PC 2000, Pocket PC 3.0, and Pocket PC 2002. It has been used with Ethernet, 802.11b, CDMA, CDPD, GSM, GPRS, Integrated Digital Enhanced Network (iDEN), Time Division Multiple Access (TDMA), 56K analog modems, and Bluetooth, tested with dozens of PDAs, modems, and network providers. According to Susan Tomilo, director of business development, "We've found that, even though all of these products are allegedly standards-based, our customers will try a new combination and find something that needs work. We do the interoperability testing to make our product broadly interoperable across the entire value chain."

PDA VPN clients have been slow to take hold, but Certicom saw growth after releasing 802.11b support in October. "In earlier days, part of the problem was that the network itself was slow," said Tomilo. "Mobile applications were certainly usable, but they were not the main tool. With 802.11b, handheld devices can be primary tools. In some cases, we're now seeing workers using 802.11b in the factory and Sprint or ATT outside the factory."

To overcome device limitations, movianVPN supports both standard Diffie-Hellman and elliptic curve Diffie-Hellman (ECDH). "Some VPN gateway manufacturers (Alcatel, Nortel, Cisco, Intel) have deployed our ECDH technology," said Tomilo. "With new PDAs, some of these barriers are going away. Our product lets enterprises do more with smaller devices. They don?t expect handhelds to do everything that you can do with a laptop, but we're letting you do more with them."

The devil is in the detail
Administrators know that ideas that sound great at 30,000 feet can fall apart somewhere between conception and deployment. In coming months, we will take a closer look at how these PDA VPN solutions are deployed and the PDA/network/gateway combinations that are supported. We will look at who is using PDA VPNs and the kinds of applications they run. Ultimately, we hope to help you better appreciate the capabilities and limitations of PDA participation in enterprise VPNs. Stay tuned for next month's column.

Rate this Tip To rate tips, you must be a member of SearchNetworking.com. Register now to start rating these tips. Log in if you are already a member. Submit a Tip Digg This!     StumbleUpon     Del.icio.us    RELATED CONTENT Wide Area Networks WAN optimization: A market update Remote Desktop troubleshooting How the NetFlow protocol monitors your WAN Network design: Five ways to lower your costs Remote office backup, archiving and disaster recovery for networking pros Troubleshooting WAN performance issues Cisco CCIP MPLS certification: Introduction Distribution of labels -- Cisco CCIP MPLS certification: Lesson 3 Label imposition -- Cisco CCIP MPLS certification: Lesson 4 Configuring MPLS -- Cisco CCIP MPLS certification: Lesson 5 VPN Design Creating Remote Access and Site-to-Site VPNs with ISA Firewalls: from 'The Best Damn Firewall Book Period, Second Edition' A basic virtualized enterprise -- from 'Network Virtualization' How can I get our VPN to work on Windows Vista? To set up a VPN server, do you need two NIC cards? MPLS technology overview How do I connect my VLANs to the Internet using NAT and the appropriately configured ACL? What equipment do I use to connect two LANs in different cities? What are the steps? Are there any architectures of IPsec VPN apart from lookaside and flow-through? How can I access each device from my network while keeping the companies' networks secure? VPN operating system interoperability -- Configure VPNs with Linux VPN Design Research Wireless Network Implementation Extending Wi-Fi range indoors or outside with 802.11n and WDS Accessing printers on a LAN while connected to a WLAN. Will different wireless card link speeds cause network latency? Open source authenticator implementation for LANs: How is open1x an 802.1X supplicant? How do I increase network signal strength over a large distance? Wireless deployment tips: How Amtrak deployed Wi-Fi on its trains Bandwidth calculations for wireless networks supporting VoIP Linksys WAP2000 Business Access Point: Review and configuration 7/11 chain cuts out controller to lower wireless networking costs Distributed antenna system streamlines wireless management RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary extranet  (SearchNetworking.com) Layer Two Tunneling Protocol  (SearchNetworking.com) virtual private LAN service  (SearchNetworking.com) RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.