Republished with permission of
Originally published 9 May 2002.
Five “Must Have” Defenses for Mobile Computer Users
by Fred Avolio , Avolio Consulting, Inc.
[Editor’s Note: In May, LiveSecurity articles will focus on securing the remote user. Fred starts the topic with this fine overview. In the next three weeks, watch for articles on understanding IPSec parameters, how to arrange telecommuting without using Microsoft products, and a Support Flash or two detailing how to create MUVPN connections with ease. All these articles originated from your requests, so we’re confident you’ll find them practical and worthwhile. See you around the Inbox! — Scott Pinzon]
Mobile access to our enterprise networks has become commonplace. Mobile computers — those PCs our users carry to Internet cafes, hotels, conferences, airports, and really, everywhere — extend our network perimeter quite a bit further than a firewall can handle. Just as a network requires a firewall for strong defense, there are “must haves” for mobile computer defense as well.
The nature of the problem
While a firewall protects access to a network, and controls what may and may not pass through it, everyone knows that a firewall cannot control connections that don’t go through it. The ultimate expression of this is the mobile computer, which sneaks past the firewall by being physically carried around it. The mobile computer is an extension of the private network, with a set of unique differences.
First, unlike enterprise-bound desktops, the mobile computer has no dedicated system administrator (besides the owner). No one gets paid to back up the data on the mobile computer, and no one gets paid to keep it virus free. And if someone did, his job would be difficult, since the mobile computer is … well, mobile.
The non-mobile computers in the enterprise benefit from all the physical security available in a shared office environment. The “road warrior” can never protect her mobile computer as thoroughly. A mobile computer travels beyond the bounds of the guards, property passes, and locked doors of the office. And most mobile computers are configured with ease of use in mind, keeping the user from having to enter a password too many times. This configuration is like locking your door, and hanging the key on the doorpost. If an attacker gets physical possession of the computer, it’s Game Over.
Finally, within the office environment, data communications rarely leave the premises, and if they do, they go through the firewall. For the mobile computer, most data is communicated over wires and fiber owned by others, potentially vulnerable to capture by an eavesdropper.
The not-so-bare necessities
At a minimum, all mobile computers that will occasionally connect to the office from a remote location should have five important add-ons.
1) Anti-virus Software
The first is so obvious that I’ll not spend much time with it. Antivirus software must be on every computer, especially mobile PCs. The hard thing about mobile A/V is keeping it up to date. A desktop computer can be configured to check for virus updates on a regular basis. So, once a week at, say, 3:15 AM on a Wednesday, it reaches out and touches the A/V vendor (or, in a medium-to-large organization, a local updates server). But in contrast, at update time the mobile computer is just as likely to be turned off in a briefcase under an airline seat, or quietly resting on a desk in a hotel room. The user has to remember to do the updates. And why do I go on about A/V, after indicating I wouldn’t? Even though we can effectively solve the computer virus problem with a combination of A/V software and policies, viruses and other “malware” continue to hurt a disturbing number of people. Obviously, users are not taking advantage of the existing solutions. Your job is to see that your mobile users do. Your users must be reminded.
The next important add-on is also not very sexy: backups. Years ago, people didn’t lose much data to hard disk crashes for the simple reason that they didn’t have hard disks. And then, once they did, they didn’t have room to store their data on the hard drive. Besides, they didn’t have the Internet connecting everyone with everyone else (for some value of “everyone”). So everyone stored and copied data to floppy disks. And almost 100 percent of computer viruses spread through floppy disks, too.
Today people have more storage area than they will ever use. The danger, of course, is that every document, every file, and every piece of e-mail they have ever received is kept on one system on one disk drive (and I know people like this). Okay, so disks “crash” less often today, but sometimes computers get stolen. And more often than that, the user deletes the wrong file.
Mobile users need backup software that is dirt-simple to use and media that is reliable, with capacity enough to be useful. This pretty much rules out floppies. CD-RWs are taking their place, and they are becoming more reliable. Users still have to remember and choose to do backups. Giving them the right tools increases the odds that they will.
3) Steel locking cables, or disk encryption
Even if your users remember to back up their data, mobile computers are still more likely to be stolen than their desktop cousins. This is not a bug, but the consequence of a feature: they are easy to carry around, and so, easy to steal. You can — and should — give all mobile PC users steel locking cables, to secure the computers while in hotel rooms (or the kind with proximity alarms that, like a nervous infant, loudly screech if moved too far from the owner).
Steel locking cables will work for the 20 percent of people who remember to use the lock. For the other 80 percent, you need disk encryption. PC disk encryption software is nearly bullet proof, and very user friendly (assuming the user remembers his password). Data encrypted using a unique secret key, which is protected by a password, leaves a thief with no way to access or otherwise use the data on the computer. His only option is to reformat the disk and install new software in order to use the computer at all.
Mobile PC theft has been on the rise in recent years. A stolen US State Department PC containing “thousands of classified documents about arms proliferation issues” got its 15 minutes of fame in April, 2000 . If you believe the London tabloids, the British government was leaving notebook PCs all over the Underground and in the back seats of taxis at an alarming rate . Even if it doesn’t contain state secrets, a mobile PC belonging to the CEO of a corporation is likely to contain advanced development information, sales forecasts, merger and acquisition information, or other sensitive corporate data. The cost of the mobile PC pales in comparison to the value of the data it contains, making disk encryption a pretty attractive defense for any network administrator whose users are not perfect.
4) Personal firewalls
You knew I was going to get to “personal firewalls,” and so I have. A personal firewall acts as both a packet filter, making sure no incoming connections are allowed, and an intrusion detection device, shunning and reporting the attempts. Personal firewall software should be as ubiquitous as A/V software on any computer that sometimes finds itself directly connected to the Internet. This includes anyone foolish enough to connect a computer to a cable or DSL modem without the benefit of a small office firewall (such as the WatchGuard SOHO). In addition, anyone who, upon finding “high-speed Internet access” in a hotel room, would immediately connect up (which is just about all of us) should use a personal firewall. And change the “should” to “must” with any Windows version after Windows 98.
5) VPN client software
Finally, if the mobile computer user is going to connect back to the enterprise network over an outside network to exchange data of any worth, Virtual Private Network (VPN) client software, such as MUVPN, nicely completes the defenses. It’s simple. Your data is vulnerable to capture as it flows out from your computer, with the chance of eavesdroppers more or less likely depending upon your connection (least risky are dial-up connections, riskiest are hotel broadband or cable). VPNs allow you to communicate in safety with high security. Encrypt everything that leaves the mobile PC all the way to the Firebox, where it finds safety on the trusted network.
As Internet use has grown, it has also become normal for users of networked computers to want to carry them beyond the protective bounds of their corporate network. Just as nowadays no one would consider connecting to the Internet without a firewall, no company should send its mobile force out without the benefit of these five additional measures. ##
Other LiveSecurity Articles about Securing Mobil Users
Copyright© 2002, WatchGuard Technologies, Inc. All rights reserved. WatchGuard, LiveSecurity, Firebox and ServerLock are trademarks or registered trademarks of WatchGuard Technologies, Inc. in the United States and other countries.