Wireless Security – advancing from the traditional “one-size-fits-all” approach.
, mobile devices and network technologies have evolved in recent years, giving the executive road warrior and field service representative access to corporate networks, databases and applications from virtually anywhere.
Despite these advances many organizations are still unfamiliar with the latest remote access technologies and are unsure how to address the biggest mobile deployment concerns, namely connection cost, availability, speed and security.
The good news is that virtual private network VPN solutions have evolved to better serve the growing number of truly mobile workforces.
The use of (VPN) for secure remote access is essential. A VPN must address the productivity concerns of application administrators as well as the network and data security concerns of network administrators—without compromising usability. For organizations to strike this balance between security, performance and usability in the field, they must select their VPN solution carefully.
Countless remote access and virtual private network (VPN) technologies claim to help IT managers provide mobile workers access to vital applications without compromising network security or disrupting performance and productivity. The reality is, however, very few work well for truly mobile workers.
Most VPNs can provide adequate remote access and security in fixed locations or over wired networks, but they do not provide seamless mobility in environments in which workers frequently change locations throughout the day, suspend/resume their devices to save battery life, encounter gaps in coverage or use multiple wireless networks. For these reasons, it is important to recognize that today’s VPNs are simply NOT one-size-fits-all.
How mobile is your workforce?
Before you select a VPN, it is important to first analyze the workers that will use the solution. Are they “remote” or “mobile”? What are their specific remote access requirements?
Not all remote workers are mobile. Remote workers typically require access to a single local wired or wireless network from a fixed location, such as a home office or hotel room. True mobile workers, on the other hand, make use of a rich variety of wireless connections throughout the day. These workers rely on real-time access to data and applications, and they are more sensitive to obstacles that hinder their access because, as we have seen, it ultimately impacts their productivity and erodes the very benefits which the mobile working project sought to deliver.
IPSec, SSL and Mobile VPN solutions: An overview
The three most common technologies used for remote and mobile access today, IPSec, SSL and Mobile VPNs are solid, proven technologies. When configured and used properly, all provide a high level of security through encryption and authentication and work well for remote users. However, not all VPNs function the same way under the same conditions. Unlike traditional IPSec and SSL VPNs, Mobile VPNs perform especially well in mobile and wireless environments. It’s therefore, critical to determine if your workforce is remote or mobile and to evaluate the merits and pitfalls of each VPN solution for that workforce.
IPSec VPNs are designed to provide point-to-point connectivity for remote users typically over a high speed network. IPSec was not developed with protocol efficiency in mind, and adds roughly 102 bytes of overhead for every packet transmitted. When this overhead is multiplied across each application in use, IPSec is progressively impractical when used over a wireless network. The most well-known attempt to make IPSec functional in mobile computing environments where IP addresses change is an approach called ‘Mobile IP’. Unfortunately, Mobile IP adds yet another layer of protocol overhead and introduces new security risks and data routing inefficiencies—both of which further degrade IPSec’s already poor performance over wireless networks and fail to even address the reliability required to remain productive.
As an alternative to IPSec, SSL VPNs are initiated through a web browser to provide clientless access to applications over a single network connection. SSL VPNs are a low-cost solution for web-enabled applications, but become increasingly complex when used with standard client-server applications that require non-standard SSL client software to function properly. This makes SSL inappropriate for environments that require access to home-grown or non-web-based applications. SSL also adds large amounts of overhead to packets which is especially problematic over wireless networks when running multiple applications.
Both IPSec and SSL VPNs utilize a static IP address to identify the endpoint device—an architecture that works well when used over wired connection or with a stationary endpoint. Maintaining this static IP address when the device is mobilized and connecting over a wireless network, though, is much more difficult. A gap in coverage or suspending a device will typically drop the VPN session and require the user to log back in and restart applications.
The newest category, Mobile VPNs, are designed for the mobile worker and to address the challenges associated with wireless networks and mobility. Mobile VPNs, much like traditional VPNs, integrate standards-based authentication and encryption, and provide single sign-on authentication. The Mobile VPN architecture is based on virtual IP addresses rather than physical ones. Virtual IP addresses allow users to maintain their VPN connection or tunnel as well as their application session as they roam across any wired and wireless IP-based network. Some Mobile VPN solutions provide this seamless, uninterruptible user experience even through coverage gaps and suspend/resume cycles. Mobile VPNs also provide excellent application compatibility and work well on non-browser-based and even home grown applications—without requiring additional configuration or upgrades.
Unlike their predecessors Mobile VPNs are designed to perform well over low-bandwidth/high latency connections and so typically utilize the more efficient UDP protocol that minimizes overhead and optimizes performance over wireless networks. Rather than degrade network performance, Mobile VPNs typically provide both protocol optimizations as well as various forms of compression to accelerate the wireless connection, often providing apparent throughput that exceeds the network’s native performance capabilities. And Mobile VPNs become even more efficient as more network applications are used.
Furthermore, leading Mobile VPNs combine the best IPSec and SSL policy management approaches for even greater flexibility and control. For example, IT managers can regulate access at the application level (like SSL VPNs) as well as by port and protocol (like IPSec VPNs). Some go a step further by permitting or denying access to a specific application by a user or a user group with defined network conditions such as the network being used. Administrators can create policies to prevent the use of high-bandwidth applications over low-speed connections or to ensure confidential data is not accessed over a public wireless WAN, but permit access as soon as the user switches to an enterprise Wi-Fi access point.
The Mobile VPN enables mobile workers to roam across wireless networks, traverse dead spots in coverage and even suspend and resume their devices, all without losing data or logging in again. This freedom and flexibility means that employees can serve customers anywhere, using all types of wireless Internet connection, be they cellular-based data services, wireless hotspots in cafes or airport terminals, dial-up connections, corporate wireless networks or even conventional wired LANs.
In summary, implementing a Mobile VPN equips Network Administrators with the ability to successfully extend LAN based applications,and data communications security policy to mobile devices connecting to wireless networks – even those public wireless networks which they do not own or control.
Peter George, Vice President International, NetMotion Wireless.