COMPUTER SECURITY ISSUES ADDRESSED Access all areas - vnunet.comAccess all areas
Doubts about security have long discouraged many firms from deploying mobile computing. But wireless technology has moved on

Martin Lynch, Computer Reseller News 25 Oct 2004
When many companies find it hard enough to control the IT use of office-based employees, how do you convince them that giving staff remote access is a good idea?

This is the dilemma that faces all notebook, wireless networking and remote-management software manufacturers and resellers. There are a lot of variables to consider. The process of providing a mobile solution to employees to enable remote access to the corporate network is not something businesses do lightly.

It is, however, something many of them get wrong. From tales of employees leaving their laptops in the back of taxis to hackers sniffing the airwaves for badly protected data, mobile working is still a concept that has to be sold to wary customers.

There is a general lack of trust about remote working. And with good reason. Security on remote devices has been woefully inadequate. The underlying wireless infrastructure and insecure Wired Equivalent Privacy (WEP) security protocol has been shown to have more holes than a lump of Swiss cheese.

Then there are your employees: do you really trust them to responsibly protect a £2,000 laptop crammed with company data? There are still those that don't. And even if you implement a wonderful Secure Socket Layer (SSL) VPN for transferring basic information back and forth between you and employees, is that £2,000 laptop secure enough if it falls into the wrong hands?

"The perception of remote working in business is on the up," says Bal Phull, marketing communications manager at D-Link. "Many perceive that the concept is good but recognise that there are implications for the IT department. The cultural difference of allowing people to work on the move is also taking time to change, but not as fast as we thought it would.

"We are seeing encouraging signs from the resellers, though. Companies still believe their employees will not work as hard if they cannot see them. It's an issue of trust. The truth is that a remote worker often works a longer day."

Gary Duke, sales director at LAN 2 LAN, says: "The first problem any company has is the one that concerns the loss of intellectual property. They just don't like the idea of letting people out of the office with devices, or memory cards, filled with the company information. For remote access to simple email and contact-management applications, though, many companies are now on board."

Kevin Vine, director of networking sales at Ingram Micro, agrees. "If it's just allowing access to email/contact-management or diary applications, most firms are working towards that or are there already.

"Now, from some of the feedback we get from our resellers, they want to roll out access to more corporate applications. But to do that they need some form of quality of service and security assurances," he says. The two main areas of mobility are the underlying infrastructure of wireless networks and remote networking, and the increased security of mobile devices such as notebooks.

Wireless networking has always been a security quagmire. The mere fact that data is flying through the air makes it easier to intercept. And, like virus writers versus anti-virus software companies, wireless hackers have been one step ahead of wireless security standards. A few years ago, wireless networks were found mainly in the home, not the workplace.

This explains why the early 802.11 wireless standards placed so little emphasis on security, scalability or network management. When you were only talking about one wireless router per home, managing two PCs, a laptop and maybe the microwave, there didn't seem much need.

Thankfully things have moved on, albeit very slowly. With the adoption of the long-awaited 802.11i security standard in June, there is finally a robust set of standards that will allow companies to roll out wireless networks that offer wired network security.

With products only now starting to appear, it will be next year before the market is flooded with 802.11i enhanced wireless products. In the meantime, channel partners and vendors have their work cut out to combat all of that negative publicity in the business customer's mind.

"In addition to supporting mobile users, wireless today delivers enough performance to meet day-to-day, mainstream desktop computing requirements as well," says Scott Rivers, product manager at 3Com.

"What has stymied its widespread adoption, however, is the perception held by many IT administrators that wireless lacks the security of wired networks. As digital threats increase in their frequency and severity, many organisations are shying away from wireless solutions until they offer truly robust protection.

"This concern is justified. The Wi-Fi standard was developed to provide both consumers and enterprises with easy implementation. It's 40bit, shared-key WEP [Wired Equivalent Privacy] security, which all Wi-Fi-certified products have, delivers baseline protection, not an end-to-end security solution.

"This level of security is adequate for most SoHo [small office/home office] and enterprise users who want to deter casual eavesdropping on their wireless networks or drive-by hackers looking for an open wireless system, but it falls short of the needs of many businesses and organisations."

Most wireless LANs are based on 802.11b, although many new products support the faster and more robust 802.11g. The security offered was WEP, which has come in for a lot of stick in recent times, and with good reason.

It must be remembered, though, that when it was created, wireless networking was largely a home-based phenomenon where security of data was not an issue.

It wasn't long after WEP arrived, offering very low 40bit encryption, that hackers with a laptop, antenna, and some downloaded software from the internet could drive around business districts snatching wireless packets from the air in an effort to find a door into a corporate network.

A lot of the time they did, while the rest of the time they could just steal data from the mobile devices of unsuspecting professionals.

So while WEP was being whipped by the media and corporate confidence was plummeting, the Institute of Electrical and Electronics Engineers introduced Wi-Fi Protected Access (WPA) at the end of 2002 - a sub-set of the newly launched 802.11i security standard, which it was working on.

WPA used the Temporal Key Integrity Protocol (TKIP) for encryption, as well as the Extended Authentication Protocol for authentication and key distribution. In addition, Message Integrity Check (MIC) is used to protect against forgeries.

TKIP can dynamically change the encryption key used to send data across the wireless network - right down to assigning a different key for every data packet. With most products now supporting WPA, and the arrival of the official version 802.11i, WLAN security has improved significantly - certainly to a level that should make many businesses comfortable.

Within 802.11i, there is Advanced Encryption Standard (AES), which boosts WEP's inadequate 40bit security to a variety of levels, ranging from 128bit to 256bit. With AES, wired network security levels have finally made it to the wireless world.

VPN's rising star

Now you can securely access data over a wireless connection, what do you use to do so? Most firms opt for some form of VPN. There are two types: the IP Security (IPSec) protocol VPN and the fast-rising star, SSL VPN.

IPSec VPNs use the web as the transfer medium, which has helped companies save a lot of money because they don't have to fork out for dedicated networks to connect remote locations.

For many, it is the accepted way of having a secure network connection beyond the company firewall. That said, installing and configuring IPSec VPN clients on mobile devices to allow for remote access can be expensive and technically challenging. Typically users either mess up the installation or configure the software incorrectly, so administrative costs increase.

This is where SSL VPN comes in. While also using the web as the transport medium, SSL VPNs do not require remote users to install or configure software on their notebooks. Also, unlike with IPSec VPNs, IT managers do not have to reconfigure their firewalls to allow communication, because SSL VPNs use the firewall ports already open for secure web traffic.

The Yankee Group claims SSL remote access is 45 per cent cheaper than IPSec solutions and 72 per cent cheaper than dial-up access. Duke says: "SSL VPNs are brilliant for mobile workers. There is zero touch on the desktop because there is no need to install anything, and it's all maintained by the IT department.

It is the same technology banks use to offer you online banking."

SSL's popularity is mirrored in rocketing sales according to most of the leading market watchers. Synergy Research Group reported that in the first quarter of 2004, SSL VPN sales rose by 220 per cent on the same period in 2003.

Datamonitor has predicted that SSL VPNs will be the fastest-growing segment of the firewall/VPN sector, with the market rising from $120m in 2003 to just over $1bn in 2007. InStat/MDR pointed out that despite the slow recovery of technology spending in 2003, SSL VPN sales rose by 160 per cent.

The analyst claimed businesses see it as the best way to "offer secure remote access to their evermore-mobile workforce".

So what about the hardware? Despite the rise of PDAs and smartphones, notebooks remain the key device used by most corporate mobile workers. A lot has been done to increase their mobile appeal, with many now coming with wireless capabilities as standard.

The weakest links

The problem with people is even if you give them secure notebooks, there is a good chance they will fail to use security measures. From leaving them in the pub to using stupidly simple passwords, people are widely considered to be the weakest link in any security scenario.

Last year the Computer Security Institute found that 57 per cent of corporate network breaches originated from stolen computers, and that stolen laptops represented an average financial loss of $89,000 each.

This is why notebook vendors, to allay business fears, are making security a standard part of the system. From building security into the chips and the operating systems to bundling security software and introducing advanced security measures such as biometrics on their products, notebook security is being taken out of the user's hands.

Intel's Centrino notebook chips now support more secure versions of the wireless 802.11 standards, so that even forgetting to turn off your wireless connection when it is not being used doesn't have to result in data theft.

Notebook vendors are also introducing biometric security into their products. Gateway in the US and more recently IBM have included fingerprint scanners on certain notebooks. When combined with a unique user password or security token, you are looking at strong, tailored security that matches each user to their own laptop.

Although the technology used to be expensive, fingerprint scanners are now relatively cheap. Like many other aspects of mobile security, they offer resellers another chance to bolt on a service. At the end of the day, it is not the wireless hardware or notebooks/PDAs that are going to generate decent margin.

Vine says: "The whole wireless sector has a lot of opportunities, from pre-sales advice to post-sales services. There is also a lot to be made out of the security aspect of going wireless.

Security in this field is not exactly a black art any more and there are resellers out there that have come up with good wireless security solutions to add to the hardware offering."

Duke agrees. "The biggest issue for corporates is they are hung up on the security issues surrounding wireless - the technology is inexpensive to deploy, and as a reseller, you have to put a service wrap around it. We tend to make that wrap a security wrap," he says.

"Businesses have to be assured that the person logging in is the person they claim to be. That extra wrap is where the resellers can make money."

In the past, only large firms were concerned about network security, Rivers says. "Now the threat has been understood by all. In fact security has become the top concern among small businesses. With SMEs, resellers need to be able to take a consultative approach and have a good understanding of security technologies.

Resellers should be looking to act as the IT director for SMEs. After all, the money to be gained from the sale of the kit and the installation is minimal compared with that of post-sales service contracts," he says.

CONTACTS

3Com (01442) 438 000
www.3com.co.uk

D-Link (020) 8731 5555
www.dlink.co.uk

Ingram Micro (0870) 166 0160
www.ingrammicro.co.uk

Lan 2 Lan (0870) 787 4001
www.lan2lan.com

Permalink