But these wide-area and local-area wireless services are not competitors. Cellular data (WWAN) services excel at on-the-go/outdoor Internet access, whereas 802.11 WLANs are better suited for on-site/indoor private network access. Together, these technologies deliver more robust and ubiquitous connectivity than either by itself. But for mobile workers who use both,
Wireless security islands
WWANs and WLANs commonly employ different measures to authenticate and secure data in transit. Enterprise WLAN security is largely about keeping corporate networks (wired and wireless) safe from misuse and attack; enterprise WWAN security focuses on protecting business data as it traverses public networks.
Inside WLANs, administrators use 802.1x to control corporate network use, followed by 802.11i (AES) encryption to ensure privacy and integrity. Other methods may be applied to different user communities or applications – for example, WPA-PSK for handheld devices like VoIP phones, or captive portals for guests. However, all of these measures start and end inside the local network, securing just a thin sliver of that network – the wireless edge.
In contrast, workers who connect via WWANs use secure remote-access methods: SSL-protected Web portals, TLS-encrypted email connections, and/or virtual private network (VPN) tunnels. These approaches were developed to enable Internet-based access by business travelers, teleworkers and day extenders. As a result, they are network-independent, designed to tunnel private data nearly all the way to its final destination.
For users who stick to a single type of wireless network, the choice is simple. When mobile users roam between different networks, however, confusion and disruption can reign. First, there is the question of which wireless service should be used at any given time. Second, there is the impact of shifting from one network point of attachment to another. And, finally, there are the consequences of hopping between isolated security islands.
Mobile VPNs bridge the gap
How can enterprise administrators make sure that mobile PDAs and notebooks that roam between wireless networks stay safe and productive? By default, many companies start by requiring WWAN connectivity (and security) everywhere. This often results in slow or broken connections inside buildings that cellular cannot penetrate. Moreover, even where cellular works, companies chafe at paying carriers for WWAN access where higher-speed WLANs could be used.
The logical next step – using a simple connection manager to cut-over from WWAN to WLAN – creates a new set of problems. When users roam from one network point of attachment to another, application sessions must be mended quickly while minimizing disruption. Ordinary VPNs don't address this need; they can actually make matters worse by requiring tunnel reestablishment.
On the other hand, Mobile VPNs are explicitly designed to tackle the gaps between disjointed wireless and wired networks. Like conventional VPNs, Mobile VPNs use authenticated, encrypted tunnels to safeguard business data sent over untrusted networks. In addition, Mobile VPNs can offer the following features:
- Network independence: Mobile VPNs can operate over just about any kind of public or private network, including dial-up, residential broadband connections, Ethernet LANs, WLANs, WWANs, satellite data networks, and even non-IP radio networks.
- Network transparency: Mobile VPNs try to smooth over network differences by providing a consistent security environment, application interface, and user experience. From the worker's perspective, "the connection" is simply up or down. From the administrator's perspective, that connection always delivers the same security.
- Network persistence: When devices roam between networks, they lose their IP address and authenticated state. Mobile VPNs fix this by assigning each client its own virtual IP address that remains constant as physical IP addresses change. This persistent address avoids network connection resets and re-authentications while roaming.
- Suspend/resume transparency: Smartphones, PDAs and notebooks "sleep" when not busy in order to conserve power. Mobile VPN gateways serve as a proxy for suspended devices, letting them wake and resume communication without having to reestablish a VPN tunnel or repeat user login.
- Application persistence: Throughout each business day, most wireless users encounter coverage gaps – elevators, tunnels, airplanes, and regions without cellular coverage. Many mobile VPN gateways can queue application messages for later retransmission to those out-of-reach devices. This lets applications survive frequent or even lengthy disruptions – for example, transparently resuming a download started before boarding a flight immediately upon arrival and cellular service restoration.
- Policy-based roaming: Today, most notebooks and smartphones have multiple network interfaces; some Mobile VPNs can manage how available services are used based on roaming policies. For example, signal strength, link speed, pricing, usage budgets, native network security, and corporate preferences may all be factors in choosing the "best" service. Mobile VPN connection managers may trigger roaming at the appropriate time – some even use "make before break" logic to avoid loss of connectivity during handoff.
- Network-aware policies: While Mobile VPNs work hard to hide network differences from users and applications, administrators may want to consider network characteristics in policy. For example, some Mobile VPNs can automate portal login when roaming onto a known hotspot or defer routine OS and AV updates while connected to low-speed or high-cost wireless links.
Mobility and security: Past, present and future
Mobile VPNs were originally aimed at public safety personnel, utility and delivery workforces, healthcare providers, and other occupations where mobility, security and productivity simply had to be combined to meet business objectives. However, today's increased use of mobile devices and the availability of high-speed wireless services may well combine to generate broader interest in Mobile VPNs.
Companies that offer products with some of the Mobile VPN features enumerated above include Agito, AppGate, BirdStep, Columbitech, DiVitas, IBM, Identiprise, Microsoft, Mobile Aware, Motorola, NetMotion Wireless, Radio IP, Smith Micro, and Trellia. Mobile VPN products are a diverse lot, though. Some focus on a single OS (e.g., Win32 notebooks or Windows Mobile handhelds) while others cover a panopoly of mobile operating systems. Some focus on policy-based connection management, some focus on application persistence, and some do both. Some are targeted at enabling unified communications (UC) while others are wireless data-centric.
In short, enterprises must look very closely at Mobile VPN offerings to determine how well they do or don't align with mobile workforce needs. For example, those using Windows Mobile 6.1 smartphones will find they already have an embedded Mobile VPN client, administered via Microsoft SC-MDM. That embedded client can't be extended to support other platforms, however, and may not meet every company's security, network awareness, or application persistence requirements.
Also, consider emerging requirements such as the ability to integrate with your chosen Mobile Device Management, Network Access Control, and/or Unified Communication architectures; scalability when used with high-speed links (especially 802.11n); and support for latency-sensitive and bi-directional applications like Voice over IP and telepresence. Admittedly, such questions blur the boundaries between Mobile VPN gateways and other platforms used to satisfy broader business needs. Don't assume that Mobile VPNs necessarily need to (or should) do it all. But do consider how any Mobile VPN enables more seamless secure roaming while fitting into your overall workforce mobility architecture.
About the author:
Lisa Phifer is president and co-owner of Core Competence, a consulting firm focused on business use of emerging network and security technologies. At Core Competence, Lisa draws upon her 27 years of network design, implementation, and testing experience to provide a range of services, from vulnerability assessment and product evaluation to user education and white paper development. She has advised companies large and small regarding use of network technologies and security best practices to manage risk and meet business needs. Lisa teaches and writes extensively about a wide range of technologies, from wireless/mobile security and intrusion prevention to virtual private networking and network access control. She is also a site expert to SearchMobileComputing.com and SearchNetworking.com.
This was first published in March 2009