Ensure not only that your vendor provides adequate support for current-generation platforms, but also that the vendor is committed to staying ahead of the curve with new devices and platforms as they’re introduced to the market.
Using SSL VPN and port-forwarding client applications
Not all SSL VPNs provide port-forwarding technology, but you may see it. Like with the Layer 3 network extension, the port forwarder is a dynamically installed and delivered client application that provides access to full versions of client-server applications.
The primary difference between port-forwarding applications and Layer 3 network extenders is that the port forwarder controls access at a more granular level, specifying exactly which resources can access the VPN. With these technologies, the application believes that the client application is the destination application server. The client then intercepts this traffic and forwards it to the SSL VPN appliance over the secure connection, where it’s then forwarded to the final destination, the application server.
In some cases, the port-forwarding application can also specify which processes on the client side are allowed to access the tunnel, not only the destination. In other words, you might have a policy that states that only Mobile Outlook can use the connection, and it can only pass traffic to certain ports on the Microsoft Exchange messaging server. You get a much more granular level of control than a Layer 3 network extender can provide, and depending on your organizational needs, you might use port forwarding for some users and network extension for others. This is a policy choice rather than a hard-and-fast rule. For example, we frequently see organizations provide full network extension for employees, but port forwarding for only a defined set of applications for partners, specifically because their security policies prohibit partners from having full network access.
Note that port-forwarding applications have yet to really take off in the mobile device market, so very few vendors provide this type of solution for smartphone platforms. It is likely that you might find this solution for one or two smartphone platforms, but not for all. A Layer 3 VPN — either SSL or IPsec VPN — will likely be the only choice that you have for access across the wide range of smartphones that your organization might want to allow onto the network.
Case Study: AcmeGizmo SSL VPN Rollout for Smartphones
Returning to our ongoing case study on AcmeGizmo, Ivan, the IT manager, is at the point where he wants to start exploring how to securely connect employee mobile devices to the corporate network and protect sensitive data as it transits the Internet.
Recall from Chapter 1 that AcmeGizmo currently offers three mechanisms for connecting into corporate from any device. Users on corporate-issued BlackBerry devices connect to the network via AcmeGizmo’s BlackBerry Enterprise Server. Users on corporate-issued Windows laptops connect to the network via an IPsec VPN solution from a company called Connect PC. Finally, Ivan recently began to allow a select group of mobile devices to connect directly to the corporate mail server, though he has discovered that the word has gotten around and, to his surprise, over 500 devices are now connecting via this mechanism. Figure 7-3 shows the current remote access strategy at AcmeGizmo.
Figure 7-3: The current AcmeGizmo remote access network.
While in the process of securing his mobile device remote access deployment, Ivan would like to consolidate remote access to fewer appliances in the corporate data center. His rationale is that this will help reduce management and administration overhead, while simultaneously lessening the probability that a misconfiguration or vulnerability will result in data theft.
Three primary groups of employees (a general group, executives, and salespeople) need Ivan to provide them with mobile device access to the network. Each requested access to different sets of applications and data. Ivan’s challenge is to put into place a strategy that serves all of these employees across the different sets of devices that they wish to bring into the network.
Employee authentication
Ever since he found an employee’s password affixed via a sticky note to the bottom of an AcmeGizmo laptop, Ivan has been considering a stronger authentication solution than the standard username and password requirement that AcmeGizmo has been using for years. He has decided that he will employ a stronger authentication solution for all employees as he makes the transition to the new remote access strategy.
The new policy will be that all users accessing the AcmeGizmo corporate network from outside the local area network (LAN) must use the two-factor authentication solution that he has purchased. Based on preference, some employees will carry with them a hardware token that updates automatically every 60 seconds with the newest one-time password. Other employees will not need to carry a token, but instead will be sent a text message when they attempt to log in to the corporate network remotely. That text message includes the one-time password.
Each employee enters his username, personal identification number (PIN), and the current token in order to authenticate to the network from any device. When the employee is authenticated, the new remote access system also queries AcmeGizmo’s Active Directory (AD) server in order to determine which group(s) are assigned to that employee (Executives, Enterprise Sales, or the general Employees group). This helps the remote access system determine the level and type of access each specific user will get.
Accessing the network with SSL VPN
Ivan took a look at the various VPN offerings available and decided to purchase an SSL VPN from Juniper Networks since it integrates with the endpoint security solution for mobile devices that he is also looking at from the same company.
Ivan decided that all remote access users from Windows laptops and Apple iOS, Google Android, Nokia Symbian, and Windows Phone devices will access the corporate network through the SSL VPN. The only device type in the AcmeGizmo network that will not leverage the SSL VPN is the existing BlackBerry devices. Ivan recognizes that the BlackBerry Enterprise Server (BES) that’s already deployed in the network is a feature-rich and secure single-platform solution. Rather than remove the BES and migrate all the existing users, he has decided he will continue to leverage the deployment that is up and running. Ivan also has to ban any device types other than the aforementioned devices from the corporate network.
On the device itself, all employees will be asked to download the Junos Pulse client software. In some cases, this is deployed to the device via a text message sent to the device upon registration. In other cases, the employee downloads the software from the application store for their particular device. Regardless, this endpoint software is the single agent that Ivan needs to ensure resides on each device.
When attempting to connect to the network via Junos Pulse, each user is prompted for his username, PIN, and one-time password, as described previously. From there, the SSL VPN groups that user into one of three roles and assigns them the appropriate level of access.
General employee access
In the past, most employees were not provided with a corporate-issued BlackBerry, so they didn’t have access to their e-mail, calendar, and contacts when not in front of their laptops. Ivan’s boss, Steve, however, feels strongly that allowing this level of access could boost productivity across the company, so he has informed Ivan that he would like to figure out a strategy that will allow all employees to access their e-mail, calendar, and contacts, but restrict access to everything else from their mobile devices. These employees don’t need to download and install Junos Pulse on their devices. Instead, they leverage the native configuration in their smartphones to have them connect directly to the SSL VPN appliance via the ActiveSync proxy functionality, which will secure the connection and provide a very limited access for these employees.
Executive access
The executives within AcmeGizmo who wish to access corporate data require access to a wide range of applications. E-mail, calendar, and contacts are, of course, critical for each of them to have access to. Beyond that, they require access to several sit
es on the AcmeGizmo intranet, as well as access to several applications that have been purpose-built for smartphones, including the company’s customer relationship management (CRM) application.
As with the other groups of employees, each executive has Junos Pulse installed on his or her machine. When the executive logs into Junos Pulse, the software determines that the person in question is in the Executives group and provisions a full Layer 3 SSL VPN tunnel into the corporate network. This ensures that each executive has access to all aspects of the AcmeGizmo network. In fact, the full Layer 3 access provides an experience similar to the experience that the executive has when accessing the corporate network from his or her Windows laptop on the corporate LAN.
Enterprise Sales access
The Enterprise Sales team has only a very specific access need above and beyond what the general employee group requires. These employees require access to the intranet and the company’s CRM application, both of which are web-based applications based through the company intranet. As with the executives, these employees have Junos Pulse installed on their mobile devices. When they log in using their one-time passwords, the SSL VPN system identifies them as a Sales user, automatically provisioning access to their e-mail, calendar, and contacts; but it also provisions bookmarks in Junos Pulse, pointing them to both the intranet and the CRM site by leveraging the rewriter function in the SSL VPN.
Figure 7-4 shows the new AcmeGizmo remote access deployment. As you can see, in addition to making strong authentication a mandatory part of access into the AcmeGizmo network, Ivan has been able to consolidate the number of entry points into the network, and also remove the e-mail server from the demilitarized zone (DMZ).
Figure 7-4: Final AcmeGizmo remote access network.
Chapter 8
Connecting to Wi-Fi Networks
In This Chapter
Connecting to Wi-Fi networks from iPhones, iPads, and Android devices
Configuring Wi-Fi settings and policies for mobile devices
Mobile devices such as iPhones, iPads, and those running the Android operating system have sophisticated Wi-Fi capabilities, allowing them to connect to public and private networks for Internet access. Device users can connect to networks at public places, such as coffee shops, airports, and hotels, and to private networks, including corporate and home networks.
This chapter explores the world of Wi-Fi on mobile devices and describes ways users can connect to networks and how you can manage policies and settings for Wi-Fi access. We also discuss the risks of users connecting to certain public Wi-Fi networks, especially those that are open and allow any device or user to connect to them. Finally, we look at options for securing your corporate Wi-Fi network.
What’s Wi-Fi, and Why Bother?
Smartphones today have access to the wireless carrier’s data network, enabling them to send and receive data such as e-mails and text messages. Wireless carriers have built elaborate networks to handle the load of millions of smartphone users. In many cases, these are 3G (or third-generation) networks, and some carriers have even built more sophisticated 4G or LTE (Long Term Evolution) networks. 4G or LTE networks have greater capacity and bandwidth than the older third-generation networks.
In many cases, however, such networks have inadequate strength, causing devices to either lose network coverage or experience slow network access. Most people have experienced network outages of this sort, especially in crowded cities or downtown locations where many devices compete with one another for access to the carrier’s network.
Enter Wi-Fi technology, which is designed to connect computers or other devices within short distances without needing cables. Wi-Fi allows the connection of multiple devices into a single network, all of which can then browse the web, send e-mail, and connect to the Internet. In your organization, you can create a corporate Wi-Fi network to which employees connect their various devices, including laptop computers, smartphones, and tablets.
Wi-Fi networks provide a sigh of relief to smartphone users in counteracting the unpredictability of carrier networks. Wi-Fi networks provide Internet access in various locations, such as hotels, airports, and coffee shops. Users at these locations can get off their 3G networks and connect to a typically more stable, and often faster, Wi-Fi network. Many Wi-Fi networks are public or insecure, meaning that any device or user can connect to them. Insecure networks come with some risk, exposing users to the possibility that their data (such as e-mail or web pages) could be read by other people who are connected to the same network.
With the increasing number of smartphones and people using these devices for browsing the web or sending e-mails, the appetite for network capacity is increasing rapidly. Therefore, Wi-Fi networks are being deployed at more and more locations, providing network access to millions of users every day.
Which Wi-Fi Networks Should Users Connect To?
Not all Wi-Fi networks are secure. Some are open networks, requiring no authentication of the devices or the users connecting to them. These open networks may be deployed at airports or coffee shops. All it takes for a user to connect to such a network is to detect the open network by name (or Service Set Identified [SSID]) and connect to it. No password is required, thereby letting anyone connect to the network.
Wi-Fi networks can be secured by requiring a password or using other techniques. Such networks are relatively more secure to connect to. But depending on the nature of security deployed in the Wi-Fi policy, these networks can also be snooped on. In the following sections, we look at the two broad categories of Wi-Fi networks to which users can connect their smartphones and tablets.
Open or insecure networks
Open networks can be joined by any user and from any device without the user needing to enter a password. These networks are typically the riskiest for users to connect to, because the data transmitted and received by users can be viewed by other users connected to the same network. People conversant with networking technology can read traffic over the network sent by other users from laptop computers, tablets, or smartphones.
Traffic that is easy to snoop on includes open or unsecured browsing traffic, such as visiting a website that does not require SSL encryption. Unfortunately, many popular websites like Facebook, Yahoo!, and Twitter do not need SSL encryption, so when users browse these sites over an open Wi-Fi network, they’re vulnerable to being snooped on.
Websites or applications that require SSL encryption are more secure from being snooped on by users on the same Wi-Fi network. While browsing to any website, users can easily see if SSL encryption is turned on. It usually appears as a padlock on the browser itself, sometimes along with the name of the server the user is connecting to. When users browse to websites that do not need SSL encryption, their information is visible and readable by others if they are on an open Wi-Fi network.
If you’re managing mobility policies for your corporate users, you need to strongly discourage them from connecting to open Wi-Fi networks from their smartphones or tablets. Whether your employees are using personal devices or corporate-owned devices, you don’t want users on an open Wi-Fi network.
Encrypted Wi-Fi networks
Wi-Fi networks can be secured using techniques called WEP (Wired Equivalent Privacy), WPA (Wi-Fi Protected Access), or WPA2 (a more recent form of WPA). Among these three, WEP employs the weakest encryption, because it relies on a preshared password key, which is used to encrypt network traffic. WEP-secured networks are more secure than open networks, but anyone who has successfully connected to a WEP-encrypted network can view traffic generated by other users or devices on the same network.
WPA and WPA2 employ stronger encryption than WEP. WPA2 uses stronger encryption and is more recent than WPA. WPA2 comes in two flavors: WPA2-enterprise and WPA2-personal. For private networks, such as home networks, WPA2-personal is the ideal security to deploy. For corporate Wi-Fi networks, WPA2-enterprise is the best possible security to deploy.
As an administrator recommending m
obility policies, you can feel secure if users are connecting to WPA2-secured Wi-Fi networks from their smartphones and tablets.
VPN on a Wi-Fi network
If your users do happen to connect to open an Wi-Fi network, make sure they use VPN on their devices to connect to your corporate VPN gateway. VPN results in a secure tunnel being built from the device to the VPN gateway, through which all traffic is encrypted and invisible to network snoopers. VPN comes in IPSec and SSL flavors, both of which have their pros and cons. Most laptop PCs, Apple Macs, smartphones, and tablets include VPN support for leading networking vendors.
Chapter 7 describes VPN in greater detail and runs down the corporate options to use VPN on various devices.
As previously mentioned, you want to strongly discourage users from connecting to open Wi-Fi networks. However, your users may connect their devices to open networks anyway, so you must consider VPN as a required policy in such cases.
Wi-Fi Connections from Mobile Devices
In this section, we look at how users can connect to Wi-Fi networks from their mobile devices. We focus on the most popular types of devices available: Apple iOS, Google Android, and BlackBerry. We run down some techniques you may want to use when instructing your corporate users. We include signs that users need to watch out for, such as the absence of security on a Wi-Fi network. Make sure that users are wary and cautious of connecting to open networks.
Apple iPhones, iPads, and iPods
The Apple iPhones, iPads, and iPods all run a single operating system, called the Apple iOS, which makes the configuration of Wi-Fi identical on each of them.
Here are the steps that your users need take to connect to a Wi-Fi network — at home, at a public location, or at work — from devices running the Apple iOS operating system:
Mobile Device Security For Dummies Page 20