Untitled Document
www.expresscomputeronline.com WEEKLY INSIGHT FOR TECHNOLOGY PROFESSIONALS
10 October 2005  
Untitled Document
Sections

Market
Management
Technology
 Event
 Technology Life
Columns

Between The Bytes

Specials

HMA Bankbiz
UPS Batteries

Services
Subscribe/Renew
Archives
Search
Contact Us
Network Sites
Network Magazine India
Exp. Hotelier & Caterer
Exp. Travel & Tourism
feBusiness Traveller
Exp. Pharma Pulse
Exp. Healthcare Mgmt.
Exp. Textile
Group Sites
ExpressIndia
Indian Express
Financial Express
Home - Technology - Article

Vendor Accent

Implementing Mobile VPNs

Decision-makers should consider using mobile VPNs for communication, writes Jeff Ratzlaff.

In modern business environments, it has become less acceptable for an employee to be unable to access company resources while outside the office. More workers are becoming mobile, and the number of tasks for the average employee is increasing, while the amount of time needed per task is ever decreasing.

Little wonder then that most corporations eagerly anticipated the arrival of the 2.5G mobile network, and are looking forward to faster 3G mobile networks and the truly mobile Internet. A wireless connection to the office network will be no different than using the desktop in the office.

The new age of Mobile VPNs

A mobile VPN is conceptually similar to a remote access VPN. Here, the remote user is a mobile user accessing the corporate network from either outside or inside the corporate premises using a wireless connection. The access device would be either a smart phone or PDA that has VPN client software installed in it. With mVPNs, users are allowed virtual connections to the corporate network, no different than an onsite LAN connection. However, the mobility of the remote device, the diversity of the underlying network infrastructure, and the resource availability of the handheld devices introduce many challenges to the VPN solution.

Is SSL sufficient?

Some argue that secure sockets layer (SSL) is enough to secure a connection. If properly implemented, SSL and IPSec both offer robust security solutions. The main difference between them is that SSL operates at the application level whereas IPSec operates at the network level. SSL used to require the modification of individual applications on both the client and server end. For instance, in order for a mobile client to use e-mail, the Web browser interface provided by the server would need to be changed. Today however we are seeing more robust browsers built for mobile devices, and which have an SSL certification mechanism built into the browser software.

In contrast, an IPSec VPN offers a transparent solution where the applications do not know about the underlying security solution. In fact, the applications do not need to know whether there is a security solution to protect the traffic; that is, the user is unaware of the security mechanism underlying the VPN application. All remote users are authenticated to gateways using digital certificates, or legacy authentication mechanisms such as a SecurID card. Additionally, gateways must authenticate remote users. Here, clients cannot get access to the secure network until they are authenticated. For corporate access, an IPSec VPN is an ideal solution when the company does not want to change the existing applications to support SSL.

Implementing Mobile VPNs

Certain characteristics of mobility should be taken into consideration when implementing mVPNs.

  • The nature of mobile networks

Mobile networks create some technical issues that need to be addressed when planning mobile solutions. Mobile networks today do have some delay and speed issues that can lead to time-out problems if applications are not prepared to accept long delays.

The sporadic occurrence and nomadic nature (no IP address known) of the handheld connection makes the security management of the devices challenging. When the mobile user is establishing the secure connection to the corporate intranet, the backend system needs to make the required checks about the validity of the security profiles. This should be done prior to each connection, and without the mobile user noticing a substantial delay in the connection establishment phase. In addition, a private address must be issued to mobile devices and NAT (network address translation) must be used before forwarding IP packets to the public networks.

  • Limited memory and resources

Mobile handheld devices have less available memory than personal computers. Smart phones typically come standard with 8-64 MB of available memory for applications, and PDAs with 128-256 MB. The amount of upgradeable and standard memory is constantly increasing. However, the number of applications and feature requirements of these devices are increasing too.

  • Limited processing power

Typical handheld devices are powered by a CPU which provides only a fraction of the computing power of a typical desktop (206 MHz ARM vs 2.8 GHz Pentium IV, for example). This means that computation-intensive tasks such as key material generation and encryption take more time on a handheld device than on a desktop computer. With slow connection speeds (below 100 kbps), encryption is not so much of an issue. However, generating long keys (>128 bit) from equally strong key material can take several seconds.

  • Limited battery power

Mobile devices are usually powered by a chargeable battery, which lasts from hours to days in normal usage. Because VPNs usually require heavy computation to do the necessary encryption, they keep the device’s CPU busy and hence require more power.

  • Limited terminal security

Terminal security is a critical component in a corporate-level mobile application solution. VPNs allow sensitive data to be exchanged between the handheld device and corporate network, which usually means that some of that data is stored on the handheld device itself. Therefore, technologies such as file encryption and terminal lock-up should be in place when sensitive data is stored on a mobile device.

  • Number of mobile users

In the wireless world, the sheer number of clients can create problems for existing infrastructure. The number of clients sets requirements for the number of concurrent connections (or tunnels) that the gateway must be able to handle, as well as the number of users the gateway must be able to authenticate simultaneously. The amount of concurrent connections and simultaneous authentication requests must be estimated. Then, gateway equipment that can handle the required load should be implemented in the network infrastructure.

  • Deploying mobile clients

Mobile VPN Client configurations (or policies), certificates, and private/public key pairs need to be configured centrally by network or security managers. Mobility presents a special challenge during the deployment of this information to the clients, especially during the initial deployment of the client software and policies. Additionally, mobile clients are always connected through an unsecured or hostile network (wireless), requiring secure deployment of software and policies. The initial trust relationship between the intranet and the mobile handheld device has to be established prior to downloading VPN-related trust, such as certificates, to the handheld device.

Overcoming challenges

  • VPN policy

Look for mVPN solutions that support multiple encryption and public key algorithms, as well as several key-management protocols including the support for industry standard IKE (Internet Key Exchange) protocols. These mVPN solutions should be able to automatically negotiate the strongest possible encryption and data authentication algorithms available between the communicating parties. For authentication, the solution must be able to handle new upcoming technologies such as Public Key Infrastructure (PKI), and legacy authentication methods already in place. Thus, corporates can utilise the existing infrastructure (for instance, SecurID cards and Radius servers) to handle user authentication.

There is a need for a single point of management for mobile VPN infrastructure to ease maintenance, support and management of the whole security policy of a company.

  • Connections to corporate networks

Extending a corporate network to mobile devices requires an infrastructure (network, gateways, management tools) that can handle the management and support of a massive number of new devices. As such, the mVPN infrastructure must be flexible, scalable, and always available for corporations to base their core services. As more users come into the network, the solution must be able to automatically balance the load without affecting the connection. There should be no disruption in service for the end-user, which is especially important for mobile users.

  • Mobile user experience

The ultimate success of mobile solutions depends on how end-users adopt and accept wireless devices and security on them. Mobile terminals present a special challenge in usability since the screen size and input methods are limited by the size of the devices. The mVPN device must be simple to use and intuitive, requiring minimal need for user intervention and tight integration with the operating system. Mobile VPNs enable organisations to extend the network to mobile employees and partners without the risk of compromising their security standards. There are careful considerations that need to be addressed, but with the right solution, achieving a truly mobile workforce is not that difficult.

The author is Director, Marketing, Asia Pacific, Enterprise Solutions, Nokia. He may be contacted at mobile.business.apac@nokia.com

 


UNSUBSCRIBE HERE
Untitled Document
© Copyright 2001: Indian Express Newspapers (Mumbai) Limited (Mumbai, India). All rights reserved throughout the world. This entire site is compiled in Mumbai by the Business Publications Division (BPD) of the Indian Express Newspapers (Mumbai) Limited. Site managed by BPD.