Problem solve Get help with specific problems with your technologies, process and projects.

The VPN Expert: Securing PDA enterprise network access

Advances in PDA networks and platforms are creating real demand for remote access to enterprise networks.

Read about Lisa

by Lisa Phifer, Core Competence

Ever since the Palm Pilot's debut, administrators have been under fire to support PDAs as an integral part of IT infrastructure. When PDAs were simply portable contact managers, integration meant little more than synchronizing address books and calendars. Many exchanged brief messages using or a personal point of presence account. But with limited memory and bandwidth, there was little real demand for remote access to enterprise networks.

Advances in PDA networks and platforms are changing that. Today's PDAs are far more capable: Palm OS platforms start at 8 MB, while Pocket PC 2002 platforms now ship with 64 MB and 206 MHz processors. Wireless WANs based on CDMA (Code-division Multiple Access), GSM (Global System for Mobile communication), GPRS (General Packet Radio Services), or CDPD (Cellular Digital Packet Data) may still be limited to 14.4 or 28.8 Kbps, but PDA analog modems operate at 56 Kbps. CompactFlash slots and PCMCIA jackets enable access to Ethernet LANs, Bluetooth personal area networks, and 802.11b wireless LANs at 1 to 11 Mbps.

As PDAs get more robust and better connected, their role is changing. Increasingly, administrators are challenged to bring PDAs into the IT fold. Doing so safely means hardening PDAs against attack. Unauthorized access to lost or stolen PDAs can be neutralized by power-on passwords and data encryption products like PDA Defense and movianCrypt. But what about privacy, integrity, and authenticity for enterprise network access?

Gateways for roaming PDAs
Because most corporate travelers now carry PDAs, there is growing interest in PDA-based secure WAN access to back-office systems.

Those willing to accept public telephone network privacy may consider a service like RemotePipes VSPOP. Users dial an 800 number to reach a RemotePipes "virtual secure point of presence." IPSec tunnels secure traffic from the VSPOP to the enterprise firewall protecting back-office applications. "We utilize Nortel Shasta and CVX equipment, in conjunction with our expertise and jointly-developed software, to enable any PC, laptop, Palm, or Pocket PC to access corporate networks with no client software," said Doug Bonestroo, CEO.

Those requiring end-to-end (client to server) privacy can "web-enable" enterprise applications, securing them with Secure Sockets Layer (SSL). Traditional websites are often hard to use on small-screen PDAs. Wireless Application Protocol (WAP) gateways can translate HTML/SSL into Wireless Markup Language (WML)/Wireless Transport Layer Security (WTLS) to accommodate small displays -- notably on smartphones. However, WAP requires development per application and introduces a "WAP gap" -- a point of vulnerability at the (usually carrier-operated) gateway.

Another browser-based alternative is to deploy an enterprise SSL gateway like Neoteris Instant Virtual Extranet or uRoam FirePass. FirePass lets PCs, smartphones, Palms, and Pocket PCs tunnel over SSL or WTLS to a FirePass Server -- an appliance deployed near the company's firewall. The uRoam MyDesktop graphical user interface provides PDA-friendly access to Microsoft Outlook, Lotus Notes, and File Manager applications running on a PC in the target network. A "webifyer" can integrate other enterprise applications.

VPNs clients for PDAs
Companies that already use VPN clients to secure teleworker PC and traveler laptop access may prefer a client-based approach for PDAs. Building a consistent, cross-platform solution that secures WAN, wireless LAN, and personal area network access by any device may sound attractive, but is it really feasible?

Microsoft's new Pocket PC 2002 lets PDAs with wired or wireless use Connection Manager to launch the built-in PPTP client, tunneling traffic to a Point-to-Point Tunneling Protocol (PPTP) server. The server can be a PC running NT or Windows 2000 RRAS or a PPTP-enabled Internet appliance or firewall. Because PPTP is comparatively easy to deploy, many small companies use it. Larger enterprises tend to invest in more secure alternatives like IPSec.

After Microsoft's dial-up client, the most widely-used Win32 VPN client today is SafeNet's SoftPK. In December, SafeNet announced SoftRemotePDA, an IPSec client for Palm OS PDAs with CDPD access. According to Maureen Kolb, corporate communications manager, SoftRemotePDA beta testing is still underway. "We recommend an m500 series because it works much faster, but we can also work with the Palm Vx. We've tested with AT&T and Verizon, but will probably work with other [CDPD providers]," said Kolb. While SoftRemotePDA sounds promising, those needing solutions for other OSs or networks must look elsewhere.

Certicom's movianVPN has a broader reach. This IPSec client is available today on Palm OS 3.5+, Handheld PC 2000, Pocket PC 3.0, and Pocket PC 2002. It has been used with Ethernet, 802.11b, CDMA, CDPD, GSM, GPRS, Integrated Digital Enhanced Network (iDEN), Time Division Multiple Access (TDMA), 56K analog modems, and Bluetooth, tested with dozens of PDAs, modems, and network providers. According to Susan Tomilo, director of business development, "We've found that, even though all of these products are allegedly standards-based, our customers will try a new combination and find something that needs work. We do the interoperability testing to make our product broadly interoperable across the entire value chain."

PDA VPN clients have been slow to take hold, but Certicom saw growth after releasing 802.11b support in October. "In earlier days, part of the problem was that the network itself was slow," said Tomilo. "Mobile applications were certainly usable, but they were not the main tool. With 802.11b, handheld devices can be primary tools. In some cases, we're now seeing workers using 802.11b in the factory and Sprint or ATT outside the factory."

To overcome device limitations, movianVPN supports both standard Diffie-Hellman and elliptic curve Diffie-Hellman (ECDH). "Some VPN gateway manufacturers (Alcatel, Nortel, Cisco, Intel) have deployed our ECDH technology," said Tomilo. "With new PDAs, some of these barriers are going away. Our product lets enterprises do more with smaller devices. They don?t expect handhelds to do everything that you can do with a laptop, but we're letting you do more with them."

The devil is in the detail
Administrators know that ideas that sound great at 30,000 feet can fall apart somewhere between conception and deployment. In coming months, we will take a closer look at how these PDA VPN solutions are deployed and the PDA/network/gateway combinations that are supported. We will look at who is using PDA VPNs and the kinds of applications they run. Ultimately, we hope to help you better appreciate the capabilities and limitations of PDA participation in enterprise VPNs. Stay tuned for next month's column.

This was last published in January 2002

Dig Deeper on Wireless LAN (WLAN)

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.