End-to-End Security:
Don't Overlook PDAs
by Lisa Phifer, Vice President, Core Competence, Inc.
Falling prices and broader features are expected to dramatically boost PDA purchases this year. According to In-Stat/MDR, worldwide PDA sales will grow 18% annually to reach 25 million units per year by 2007. This tidal wave of new PDAs will also be more tightly-coupled with networks. Units with integrated wireless will increase to 3 out of every 4 sold by the year 2007.
Today’s handhelds fall into three categories:
- Pen-based PDAs like Pocket PCs and Palm Pilots
- Keyboard-based PDAs such as the HP Jornada
- Hybrid phone-PDAs like the Handspring Treo.
Pen-based PDAs dominate, and the most popular pen-based operating system is Palm OS. According to Gartner, 6.7 million handhelds running Palm OS were sold in 2002 alone, capturing 55% of the global market.
Most PDAs are still purchased by end-users, but business adoption is rising as PDAs morph from Personal Information Managers into true mobile computers. As these devices mature, businesses are being forced to rethink handheld security. Palm PDAs and their brethren are becoming an extension of the business network perimeter. Unless you take the proper precautions, they could easily become the weakest link in your network’s armor.
Small Devices, Big Risks
What makes PDAs so vulnerable? Start with the obvious: their size. PDAs and related secure digital (SD) and multi-media cards (MMC) are easily lost or stolen. What’s worse, PDAs usually go missing in public places -- at an airport, on a train, in a restaurant or at a customer's site. Wireless use in such venues also creates new opportunities for eavesdropping and attack.
PDA mobility is a double-edged sword. PDAs offer convenient anytime/anywhere access to applications and data, boosting business efficiency. But an unprotected PDA that falls into the wrong hands can extend this same convenience to intruders, resulting in theft of service, loss of confidential data, even unauthorized backdoor access to the company network.
Because PDAs connect intermittently to company networks, they are harder for IT administrators to control. Furthermore, since PDAs run different operating systems and have comparatively limited CPUs, storage, and memory, they do not support the same security products already understood and mandated for company-owned laptops.
Step One: Admit You Have A Problem
Some companies do not formally recognize PDAs as supported computing devices. Employees can buy and use PDAs, but do so at their own risk. Unfortunately, sticking your head in the sand rarely yields positive results. Employee-owned PDAs may still jeopardize company data, synchronized desktops and Intranet servers.
A more productive approach is to meet PDA security challenges head-on. Recognize PDAs as mobile computing devices and plan accordingly. Even if your company does not purchase PDAs, create an Acceptable Use Policy to guide employees who use PDAs. Identify business risks, define best practices to mitigate them and recommend security measures and tools to implement these practices.
Enterprise-scale PDA Management
Companies that deploy PDA-based mobile business applications need to take PDA security even further. A number of commercial solution suites exist to create enterprise IT infrastructures that support secure mobile computing. For example:
- Enterprises with existing investment in desktop management systems from companies like Intel, Marimba, IBM/Tivoli, and Computer Associates can tap "mobile" extensions to these products to centrally track PDA assets and manage configurations.
-
Organizations that need to centrally manage, back up and monitor a variety of handheld devices might consider more specialized mobile management solutions like XcelleNet Afaria, Novell ZENworks or AvantGo.
-
Companies with Palm OS version 5 handhelds can buy into Palm’s Tungsten Mobile Information Management (MIM) Solution. MIM provides for IT administration of “Security Plus” add-ons, including Palm access controls and data encryption.
Solution suites like these provide a wide range of features for enterprise-scale device administration -- including (but not limited to) managing PDA security measures.
Management Guidelines for the Rest of Us
Smaller businesses that don’t have automated asset tracking or software distribution for desktops or laptops are not going to deploy them for PDAs. Nonetheless, these tracking tasks are still relevant to small businesses; small businesses simply handle them differently.
Create and maintain an asset inventory. Keep a list of PDAs and peripherals, with hardware serial number, flash ID, MAC address, owner information and the IP address of the company system that the PDA typically synchronizes with. An accurate inventory is your foundation for implementing access controls, discovering unauthorized PDAs and locking out stolen or lost PDAs.
Define your standard PDA environment. Identify PDA models that you must support. For each, enumerate required OS versions, wireless interfaces and third-party security tools (see below). If you let employees install PDA software, document an update distribution process. Teach employees to check signatures to verify authenticity, and instruct them to avoid shareware/freeware of unknown origin.
Document recommended configurations. Many PDAs don’t even use built-in safeguards. Educate employees by supplying instructions to enable passwords, disable infrared ports ("beaming"), use wireless encryption, avoid weak PAP authentication, etc.. Include rigorous instructions for third-party security tools. Automated systems implement and verify configurations, but even without such tools, you can encourage compliance by performing ad hoc checks.
Perform regular backups. Companies already realize the need to routinely back up laptops and desktops. PDAs used for business also require frequent backup so that service can be quickly restored when a handheld is lost, damaged or reset. Travelers who must backup on the road can use tools like Botzam Backup and BackupMan to routinely encrypt Palm PDA data onto secure digital cards.
PDA Security Tools
Whether your company is large or small, there are many tools available to mitigate PDA vulnerabilities. I’ll focus on tools for Palm OS, but similar measures are available for other OSs such as Windows CE and Symbian.
Control PDA Access. Power-on passwords prevent unauthorized use of lost or stolen PDAs. Palm OS includes a basic password, but third-party software supports stronger, more flexible authentication methods. For example, TealLock enforces password length/complexity/update, wipes data after n unsuccessful login attempts, and blocks backdoor access via serial and IR ports. Visual Key and OneTouchPass lock the Palm with a graphic, permitting access only when predefined spots are tapped in the correct order. CIC Sign-On recognizes the owner’s written signature as a password.
Protect Stored Data. Data on PDAs and associated SD/MMC cards can be encrypted to prevent access by malicious programs, other users on multi-user PDAs, or thieves when the password is disabled or compromised. Programs like BeSafe and Password Store provide a secure place to record passwords. Tools like Cloak and Cryptohack automatically encrypt databases owned by individual Palm applications. Programs like Handango Security Suite, movianCrypt, PDA Defense and PDA Secure combine access controls with on-demand encryption using a variety of ciphers.
Control Network Access. Authentication can prevent strangers from gaining unauthorized Internet or Intranet access via misappropriated PDAs. Palms can authenticate with MS-CHAP over PPP and with shared keys over 802.11 WLANs. Wireless services like Palm.Net or GoAmerica use device authentication to control subscriber access. Enterprise solutions like MIM allow users to authenticate to a Web portal in order to gain access to selected Intranet servers. Or leverage your existing VPN gateway to provide PDAs with authenticated secure remote access (below).
Protect Data In Transit. Business data sent by PDAs should be encrypted to prevent eavesdropping, not just on wireless links, but end-to-end. Many Palm OS VPN clients are available, including Mergic VPN (PPTP) and movianVPN, PDASecure VPN, SoftRemotePDA (made by Safenet, who makes WatchGuard's MUVPN client) and V-One SmartPass (IPsec). PDA clients tend to be simpler and therefore more limited than Win32 counterparts – read my searchNetworking evaluation.
If you don’t already have a VPN, there are other options. For example, Palm’s MIM applies AES encryption between the Palm and MIM server. The Palm OS supports SSL, so you can probably tunnel using SSL VPN products from vendors like Aventail, Neoteris, SafeWeb and URoam. Or you selectively encrypt individual applications. For example, secure Telnet using SSH clients like Mocha PocketTelnet and TopGun ssh.
Stop Malicious Code. Palm OS has fallen prey to just a few viruses: Phage overwrites Palm files, Liberty deletes applications while masquerading as a software patch and Vapor “hides” applications so they can no longer be used. PDA viruses will increase, but that's tomorrow's worry. The more pressing threat today is that attackers can use PDAs to propagate viruses to synchronized desktops and mail servers. To defeat this, run A/V software like McAfee VirusScan Wireless, TrendMicro PC-cillin for Wireless, or CA eTrust AntiVirus. Look for integrity measures in products like PDA Secure, which prevents protected applications from being deleted.
Conclusion
PDA owners often fail to understand and address inherent vulnerabilities, a cultural phenomenon seen with almost any new technology. Most companies have some PDA presence, whether they formally recognize it or not. Don’t be an ostrich -- look around, assess PDA use in your company, define your acceptable use policy, and start employing appropriate security tools to manage risk. ##
Copyright© 2003, WatchGuard Technologies, Inc. All rights reserved. WatchGuard, LiveSecurity, Firebox and ServerLock are trademarks or registered trademarks of WatchGuard Technologies, Inc. in the United States and other countries.