Mobile Devices on the LAN
iPhone Hype, get your iPhone hype here!
Those handsome, intelligent and engaging folks over at Astaro Internet Security have just introduced a very easy IPSec client auto-setup for an iPhone to connect to a protected LAN. This got me thinking. There is a lot of information available on securing your iPhone and other mobile devices from intrusion, but there isn’t a lot of information available about securing your LAN from intrusion from your mobile users.
The idea of using a full IPSec tunnel for all network traffic is great for iPhone security. You are no longer sending data in the clear whether it’s to your corporate mail server or gmail. This should cut back on some threats at the iPhone level. Because you are also giving access to your LAN, it can also create an all new set of issues on your LAN.
A lot of security types are used to thinking about mobile devices similar to laptops. After all, they are similar: they’re mobile, they can hop on and off your local (trusted) wireless link, they have remote access capabilities, etc… I posit that they are, in fact, different in a few key ways. For instance most people turn their laptops off (or at least have them sleep) when they are actively traveling. This is not the case for mobile devices. The chances of a mobile device attaching to a rogue, unsecured or malevolent access point is far greater. Therefore the exposure to all sorts of nastiness is greater. How can you trust something like that on your LAN?
I would like to suggest some ideas (In bullet point goodness):
- Expect the Worst
- Always assume that a mobile device is owned and treat it as such, because it will be easier to deal with when it happens
- Segment Mobile Devices:
- Whenever possible, limit access to the LAN. Only give access to business critical infrastructure that is in a secure place, preferably segmented from any LAN.
- Set up different SSIDs, WLANS and access points specifically for mobile users when in the office.
- Do not allow mobiles to communicate with laptops and other wireless devices.
- Use Device Level Security
- Find reputable applications that protect the mobile device from intrusion
- Use VPNs when possible to ensure no data is sent in the clear. This can often have an effect on your LAN.
- Make Concise and Enforceable Usage Policies
- Make sure that anybody that can gain access to your network with a mobile device is subject to a strict usage policy. This can at least allow you to take action when/if an incident occurs. This policy should be different from any other current remote access policy as the concepts are different
- Training is considered somewhat “controversial” as you can’t ensure that people will learn from it and listen. However, it is a good start and most people will be receptive (or face your wrath).
As always I would love to hear some feedback. Let me know if anything I’ve said has worked successfully. Report bugs in this theory to bugtaq… (or in the comments section)
-Tim
*** This is a Security Bloggers Network syndicated blog from Security Workshop authored by Tim Cronin. Read the original post at: http://securityworkshop.blogspot.com/2009/02/mobile-devices-on-lan.html