Making the Network Edge More Crunchy -- The Mobile Device Security Challenge
There's an active debate in the Microsoft security community regarding edge security. The debate goes something like this: in the past, there was the concept of the "hard crunchy" edge, where a firewall is in place to block all inbound connections to the corporate network. The only way to get to information stored on the corporate network was to actually be directly plugged into the network. This "hard crunchy" perimeter protected the network from all the bad things out in the Internet. Or so the thought was then, they didn't consider the fact that outbound connections from the internal network could easily introduce exploits as well.
The new model, actively promoted by Microsoft, is that the "hard crunchy" perimeter (edge) no longer exists. Instead, we have a "soft chewy" perimeter that allows all sorts of connections to the corporate network. These connections are from home workers, road warriors, partners, consultants and an entire host of other remote access users. So, because of all of the "holes" we need to make on our edge security devices to allow these connections, the edge should no longer be seen as "hard" and "crunchy".
There no doubt that mobile workers are making the edge more porous. And perhaps the most important devices we have to worry about are handheld mobile devices. Smart phones, PDA phones and other pocket computers are the fastest growing device type that makes remote connections to data on the corporate network. It's your job to make sure that you can secure those connections.
To secure my networks against these types of devices, I have to take two major areas of security into account:
- Edge Security
- Host (or device) Security
For edge security, you need to make sure that only devices that are approved for corporate use are allowed to connect to the corporate network. The edge device should be able to perform both authentication (so that no anonymous connections from these devices hit internal servers) and authorization (so that even if a user successfully authenticates, he must be authorized to access the server and data before allowing the connection to go through.
In addition to authentication and authorization, you need to make sure that the contents of the datastream are private and secure. You can use SSL technology between the mobile device and the edge security device to insure privacy. In order to make the connection secure, you need to make sure that no exploits (such as exploit commands and code, as well as malware) can go past the edge security device.
For the edge security solution, you should consider an application layer inspection firewall, such as an ISA Firewall. The ISA Firewall is able to inspect the contents of SSL connections by performing SSL termination and initiation. The ISA Firewall can also inspect the HTTP datastream to make sure that no illegal commands are sent past the ISA Firewall, or to make sure that only known good HTTP commands and code are sent to past the ISA Firewall.
As you can see, while the edge isn't the rock wall that it used to be, by enforcing authentication, authorization and application layer inspection road blocks, you go a long way toward making that edge a lot crunchier than the supposed "software and chewy" edge that some might advocate.
Now for the device side. I think the best selection for mobile devices is Windows Mobile 6. The Windows Mobile 6 devices need to be controlled so that in the event that those devices are lost or stolen, no valuable private information is lost. This is critical -- thousands of handheld computing devices are lost or stolen each year, many of them with private, valuable corporate information that could put the company's bottom line at risk.
This is where Windows Mobile 6 and Exchange Server 2007 come into play. With this mobile device client/server combination, you get the following security features:
- You can set policy so that all information contained on storage cards is encrypted and cannot be read on any other device
- The administrator can wipe the device once he discovers that it's lost or stolen
- The user can wipe the device himself, through a OWA based self service portal, so that he doesn't even need to inform IT that the device was stolen and needs to be wiped.
- You can set policy for attachment size limits
- You can set policy to allow or disallow attachment downloads
- You can enable Windows Rights Management on documents stored on the device in order to prevent them from being printed, copied, forwarded or even read by unauthorized individuals
- You can set policy that enables or disables access to UNC path folder shares and SharePoint library files
- You can set policy for password complexity and password reuse -- which protects the stolen device from being used without a log-in PIN
In addition, you can pair up the security capabilities of Windows Mobile 6 with the ISA Firewall's authentication and authorization scheme by requiring user certificate authentication. This prevents unauthorized devices from connecting to corporate resources, since these unapproved devices (which don't allow centralized security policy management like Windows Mobile 6) from connecting to your network.
So, while the edge isn't quite as hard and crunchy as it might have been in the 1990s, you can still make it plenty hard for mobile device users by combining the strengths of a application layer inspection edge device like an ISA Firewall and the device specific security provided by a combined Windows Mobile 6 and Exchange 2007 solution.
For an excellent article that gives detailed coverage of the Windows Mobile 6 and Exchange Server 2007 combination, check out: http://www.microsoft.com/technet/technetmag/issues/2007/07/Mobile/?loc=en&rss=http://www.microsoft.com/technet/technetmag/issues/2007/07/Mobile/?loc=en
Thomas W Shinder, M.D.
GET THE NEW BOOK! Go to http://tinyurl.com/2gpoo8
Email: [email protected]
MVP - Microsoft Firewalls (ISA)