The mobility and remote-access boom is undeniable. Rapidly expanding wireless bandwidth - coupled with the improving capabilities of laptop computers, cell phones, personal digital assistants and other mobile devices - is making it possible for organisations to adopt new means of satisfying the mobile workforce's demand for anytime, anywhere access to information.

While the move toward mobility is technology powered, it is business driven. Companies of all sizes recognise that remote access has the power to drive productivity, improve customer service and add agility to the corporate business model by allowing users timely and secure access to valuable resources regardless of location.

Although the benefits of remote access are extensive, the trend challenges organisations to maintain an all-inclusive view of who is entering the corporate network and to create a well-controlled but user-friendly environment to access sensitive information. Security is a prime reason that many organisations resist enabling remote access, or confine it to a select group of users.

Opening the infrastructure for remote connection always involves risk. Without proper safeguards, organisations are susceptible to data and identity theft, network abuse, viruses, worms and other security threats.

Risk reduction

To reduce the risk many organisations turn to virtual private networks (VPN), which lets users access the company network via the Internet. Before implementing a VPN solution, it is important to consider not only security issues that can occur when users connect remotely, but to evaluate how much and what information your organisation is willing to share over a remote connection.

If you are planning to transfer data that is in any way sensitive, be wary of preinstalled VPNs. Though most operating systems have built-in VPN protocols that can be implemented at low costs, you typically get what you pay for, as these protocols often rely on little more than usernames and passwords, usually lack robust authentication and encryption components, and can easily become open doorways that allow hackers to introduce worms and viruses.

Fortunately, vendors specialising in security solutions offer a range of products to secure network resources for remote use while effectively minimising threats. Though just one option in the remote access arsenal, VPN is mature, proven and, when implemented correctly, a valuable tool in the IT security arsenal. The appeal of VPN technology largely stems from how easily it...:

  • Restricts access to select applications and files,
  • Manages authorisations,
  • Protects the corporate network from damage, even if an infected laptop tries to connect, and
  • Enforces access policies.
  • Of course, not all VPNs are created equally, and there are a few different standards for VPN protocols - many proprietary to particular vendors. Of these, however, the Secure Sockets Layer (SSL) is among the most popular because it uses the same encryption protocols as many e-commerce sites and web-enabled applications. In short, this means it will be more compatible with the networks your remote workers connect through - a critical consideration if your users are connecting via a wireless hot spot in an airport or coffee shop.

    Because of ease of implementation, cross-compatibility and a wealth of options, SSL VPNs are expected be the primary remote-access method for more than two-thirds of teleworkers, more than three-quarters of contractors and more than 90 percent of casual employee access by 2008.

    SSL is simple to install and makes use of firewall ports that have already been opened to secure Internet traffic, enabling users to connect into a network securely via a standard web browser without the need to install special software. This alleviates connectivity problems with firewalls and negates the need to install software on the remote clients (eg, desktops or laptops).

    SSL VPNs will support security policies that regulate access depending on the user, device or location. SSL can deny access if a less-than-secure situation is detected (for instance, logging on via an unsecured wireless LAN at a local coffee shop).

    Administrators also find SSL especially useful since they are able to make policy changes or edit authorisations without having to update software on employee machines. In addition, SSL offers optional capability to restrict access to select, critical applications and easily incorporates multiple layers of authentication.

    CDW's security experts recommend deploying personal firewalls, adware-scanning systems and intrusion-detection software on internal and mobile systems. For increased security, VPN applications can be configured to require all IP traffic to pass through the VPN tunnel, the same firewall as if the user were physically connected to the internal server, while the VPN connection is active. Mission-critical systems containing confidential corporate information should also leverage file-encryption and authentication applications.

    Mobility check-list

    Important things to consider before going mobile:

  • Before buying, ask vendors how they test their products for security.
  • Review software on the basis of security features.
  • Have a process for monitoring vulnerability of the network.
  • Install the latest patches, but first check newsgroups and other sources for patch anomalies.
  • After adding new programs or hardware, install the latest patches.
  • Use an automated tool to scan all PCs in the network for compliance and automatically download patches as appropriate.
  • Use open standards such as Security Assertion Markup Language (SAML) when developing software architecture. SAML allows businesses to make statements regarding the identity, attributes and entitlements of a user to other entities.
  • Do not use one server for multiple purposes (for example, web server plus DNS server); the more services, the more vulnerabilities.
  • Install firewalls inside the network, not just on the perimeter; segregate departmental applications.
  • Deploy intruder-detection systems internally and within each network segment system administrators.
  • Use one-time passwords - they can be intercepted but will be invalid for future sessions.
  • Stan Oien manages information security and computer networking experts at CDW Corp.