|Read about Lisa|
by Lisa Phifer, Core Competence
Last month's column discussed the growing demand for secure PDA access to enterprise networks. It summarized alternatives for mobile device connection, ranging from public switched telephone to cellular packet data to wireless local area networks. It illustrated how protocols like WTLS, SSL, PPTP, and IPSec are being used to secure traffic to and from PDAs. Today's column takes a closer look at one approach: using IPSec to secure PDA access to 802.11b (WiFi) wireless LANs.
If bandwidth were no object
Since the mid-90's, mobile data services have run over wide-area networks based on Advanced Mobile Phone Service (AMPS), Cellular Digital Packet Data (CDPD), the Global System for Mobile Communication (GSM), and private radio networks operated by companies like RAM and Metricom. WiFi is a relative newcomer, so why start our story here?
WiFi eliminates a top barrier to conducting business on a PDA: limited bandwidth. Early circuit-switched cellular data services crawled at 9600 bps. Prior to shutdown last August, Ricochet pushed data at 128K bps. 3G services promise greater bandwidth -- for example, Verizon's recently-announced 1XRTT network offers 144 Kbps. Fast wireless WANs compete with v.90 and ISDN, but still fall far short of LAN bandwidth. On the other hand, at 11M bps, 802.11b eliminates bandwidth from the PDA equation.
"802.11 is helping us from a deployment perspective," said Susan Tomilo, Director of Business Development for Certicom, a wireless software vendor. "In other environments, we tend to see smaller deployments - hundreds of users. 802.11 really opens up the manufacturing sector, where we're starting to see much larger deployments."
PDA applications in WLANs
In manufacturing WLANs, employees are carrying HP Jornadas or Compaq iPaqs to check inventory. But privacy is a significant concern. "We've had customers say that, unless they had a [security] solution for handheld devices, they had to turn off their 802.11 access points," said Tomilo.
PDAs have long been used to synchronize schedules, address books, and mail messages with Microsoft Outlook, Lotus Notes, and other POP clients. On a WLAN, these applications run that much faster and become readily available throughout the office. "Of course, people in any industry can use [WLANs] for access to email, but there are many other industry-specific IT applications," said Tomilo.
According to Tomilo, "Physicians are using more PDA-based applications to write prescriptions or take notes. We're also starting to see hospitals using PDAs to access databases [over WLANs]." These applications require privacy for both data in transit and data stored on the PDA.
Even with LAN bandwidth and beefier PDAs, many enterprise applications must be adapted to fit PDA memory, display, and input limitations. According to Tomilo, "Developers like Siebel are introducing products specifically geared toward handheld platforms, using compression, skinnied-down applications, etc."
In fact, hundreds of mobile enterprise applications are available today for Palm OS and Pocket PC platforms. They run the gamut from asset tracking and CRM to sales automation and supply chain management. To learn more, sample the enterprise solution directories published by Palm, Handspring, and Microsoft. Although many of these applications have been designed for WAN use, growth in PDA WLAN use can be expected to further stimulate this market.
To enable PDA access to your WLAN, start by establishing network connectivity. Due to widespread WiFi interoperability, this may be easier than you expect.
For Palm m125, m500, or m505 PDAs, try Xircom's Wireless LAN Module. This WiFi-compliant sled supports shared key authentication and 40 or 128-bit Wired Equivalent Privacy (WEP). Use the auto-installed XircomPWE app to configure PDA and WLAN names. In open WLANs using DHCP, nothing more is required. Otherwise, enter network parameters and/or four shared keys for up to five WLAN profiles. If your WiFi access point uses ASCII WEP keys (like my Agere ORiNOCO AP2000), you must convert WEP keys to hex for entry on the Palm.
Once initialized, XircomPWE displays MAC, IP, gateway, and DNS addresses, battery and signal strength. Using this module, the Palm can run TCP/IP applications and hot sync over WiFi. The sled comes with Corsoft Aileron Email, DPWeb Browser, vVault Desktop Access, and Certicom movianVPN applications, although vVault and movianVPN require separately purchased licenses after a trial period.
For Handspring Visors, there's the Xircom SpringPort Wireless Ethernet Module. Other Palm OS PDAs, like the Palm i705 or Sony CLIE, do not have a WiFi adapter -- yet. In next month's column, I'll examine the wireless WAN connectivity included with these and other PDA platforms.
There are many WiFi adapters available for PDAs running Pocket PC 2002 or earlier versions of Windows CE. PDAs outfitted with PC card adapters accept regular 802.11b PC cards with Pocket PC drivers -- examples include the Cisco Aironet 350 Client, the Intel PRO/wireless 2011B and the Agere ORiNOCO PC card. This is handy if you want to use the same card in your laptop and PDA. Type 1 CompactFlash WiFi cards sold by Socket and Symbol are lighter-weight alternatives designed exclusively for PDA use.
Typically, the WiFi adapter driver is installed with Microsoft Active Sync; the user must then manually configure WLAN and adapter parameters. I added a PC card adapter to my HP Jornada 567, then installed an ORiNOCO PC card. WLAN name and WEP keys (40 or 128-bit, ASCII or hex) are configured with a Wireless Network profile wizard. In typical Windows fashion, network properties are entered by selecting the ORiNOCO wireless network adapter from the Connections control panel.
WLAN status (network and AP name, signal strength, encryption status) can be viewed from the ORiNOCO Client program. For debugging radio signal problems, this Client includes Site Monitor and Link Test panels. The Pocket PC 2002 operating system includes Pocket Outlook, Pocket Internet Explorer, MSN Messenger, Terminal Services Client, and a PPTP VPN client.
Adding VPN support
Once you've password-protected your PDA, encrypted stored data, and connected it to the corporate WLAN, it's time secure data in transit. Shared key authentication and WEP encryption defeat casual outsider AP access and eavesdropping, but will not stop determined intruders. PDAs that conduct business with enterprise applications may require stronger authentication, privacy, and data integrity measures.
Companies that use VPN clients on teleworker PCs and traveler laptops may seek a similar approach for PDAs. Windows-only networks with PPTP gateways can use the Pocket PC VPN client. Networks protected by V-ONE's SmartGate can use the WinCE SmartPass client. Networks using another IPSec gateway to protect their WLAN should check out Certicom's movianVPN client, available for Palm OS 3.5+, HPC 2000, Pocket PC 3.0 and 2002 operating systems.
According to Certicom, movianVPN has been successfully paired with IPSec gateways from Alcatel, Avaya, CheckPoint, Cisco (3000), HP, Intel, Lucent, NetScreen, Nortel, Radguard, Secure Computing, and Symantec. If your gateway does not appear on this list, check with Certicom -- new pairings are tested as needed. Features vary by gateway. For example, Certicom's elliptic curve Diffie-Hellman is supported by Alcatel, Nortel, Cisco, and Intel. Extended Authentication with RADIUS or SecurID is possible with Cisco, Nortel, Intel, Alcatel, Lucent, and Secure Computing gateways. Tested versions and features are well-documented in the PalmOS and WinCE User Guides supplied with the movianVPN client.
I installed movianVPN 30-day trial software on a Palm m505 and HP Jornada 567, tunneling protocols like ping, email (POP/SMTP), telnet, and http through an ORiNOCO AP-2000 to a NetScreen-5XP. This client is manually configured, launched, and monitored through a single interface that feels largely consistent on both OSs. Select an operational connection before configuring a VPN policy. Separate policies can be created for different connections (e.g., Xircom sled, Minstrel modem) or networks (e.g., home and office WLANs).
Configuring VPN Policies
MovianVPN configuration varies by gateway and is not terribly complex, but PDA users may find security details a bit intimidating. Certicom's illustrated User Guides are very good, but enterprise administrators should supply customized instructions for setting parameters like gateway type and address, split tunneling, perfect forward secrecy, username (IKE ID FQDN) and password (IKE preshared secret), protected subnets, DH Group, IKE and IPSec cipher and hashed message authentication codes, and DNS addresses. Pull-down menus and defaults help, but small mistakes can lead to baffling errors.
For example, I found that I had to change movianVPN's default subnet mask from 255.255.255.0 to 0.0.0.0 and add new users to my NetScreen, named by FQDN (hostname) instead of User-FQDN (email address). For best results, get a simple security policy working (DH1, DES, MD5) and then make it stronger. This client provides progress messages and a log -- these tell you that something is wrong, but you'll need gateway-side logs and diagnostics to debug policy errors. To debug an active tunnel, this client also includes a ping client, policy status, and traffic statistics.
Desktop and laptop VPN clients are often launched at startup, but the movianVPN client requires manual login/logout by the end user. IPSec protection can be enabled/disabled at will; pop-up messages warn when traffic is sent in the clear. Once connected, I had no trouble using any application I tried over IPSec, with one exception: Pocket Internet Explorer. To use IE with a VPN client other than the built-in PPTP client, you must select "Internet" as the default in the Windows Connection Manager.
The movianVPN client connected much faster on the Jornada; tunnel establishment on the Palm m505 was noticeably slow - a function of that PDA's limited CPU. Once connected, I noticed little speed difference between checking mail on my PDA and checking mail on my laptop over the WLAN. To use your PDA extensively for business, consider further enhancements like external keyboards, desktop document exchange products like vVault, and enterprise applications tailored for PDA platforms.
Using movianVPN, a Xircom Palm sled, and an ORiNOCO PC card, I managed to integrate these two PDAs into my WLAN, using my existing WiFi access point and IPSec gateway/firewall. Of course, I was able to find a WiFi adapter/AP and VPN client/gateway combo that fit my needs. Although I would have preferred seamless policy reuse, just one gateway change was required to enable secure PDA access.
It is important to realize that every device pairing will be different. My advice is to test drive the 30-day trial software with your own VPN gateway. If this client works for you, movianVPN licenses are available by annual subscription, starting at $29.95/seat. In large enterprise deployment, there are additional issues to be considered. For example, is there any way to centrally-generate and distribute VPN client policies? If not, how do you ensure end user compliance with company-defined security practices?
Today's column focused on WLAN access, but this client can also be used over Bluetooth, wired Ethernet, GSM, CDPD, and CDMA. In next month's column, I will look more closely at other secure PDA access alternatives for use in wide area networks.
Do you have comments about this article, or suggestions for Lisa to write about in future columns? Let us know!
This was first published in February 2002