Wireless laptop users offer unique security challenges. When the remote user is a high-volume client, the challenges increase. Here’s some food for thought.
I work with a group of client companies, all of whom keep large armies of representatives out on the streets, wheeling and dealing. This wheeling and dealing requires that copious amounts of product and pricing information be available on the spot—thus these representatives are all armed with laptops, and the laptops necessarily contain databases that must be kept as current as possible.
You can imagine what the Nineties were like, working with these groups: frantic calls when database updates went awry; thousands of dial-up downloads through awkward hotel-room connections; mismatches in software from one machine to another, and few means of keeping everyone on the same page.
Today, with the exploding availability of wireless connectivity, the situation is both better and worse—better, in that the means of communicating with these machines and keeping them current have improved one hundred-fold; worse, in that this easy communication means that the headquarters database isn’t the only party out there that wants to reach out and touch.
We'll assume that the additional security that is prudent in wireless networking is in place: that you're using WEP, and so on. This is important, but you'll want to go even further in mitigating the risks inherent in an unusually conversant machine. Here are some steps to consider.
When your company's remote users are actually within your home network, Virtual Private Networking is your choice for point-to-point secure tunneling between client and server. When a laptop is out in the field, many states away, and the Internet is sitting between client and server, SSH Tunneling achieves the same thing.
Commonly characterized as a secure Telnet alternative, Secure Shell port forwarding provides a command-line interface with certificate-based security. Ideal for doing secure e-mail checks from your laptop when you’re on the road, SSH tunneling is also ideal supplementary protection for remote SQL sessions. And you can use SSH to secure ftp and POP sessions such that you don’t have to send your passwords out over the Internet by encrypting your command channel.
For more details on the implementation of SSH Tunneling, check out "Use SSH Tunneling for secure B2B networking."
Select a personal firewall with application-level features
When we speak of a "high-volume" remote user, we're not just addressing the roving local database clients. There are users out there whose work entails the sending and receiving of literally dozens or hundreds of communications a day, and who must monitor or download information from Internet sources throughout the day. Personal firewalls are essential security tools for such users.
Personal firewalls do the same thing that network firewalls do, only they do it for a single client laptop or workstation. A personal firewall is a good idea for any remote user, roving laptop, or home-based desktop. But the high-volume client can get an extra layer of protection by choosing personal firewall software that specifically examines packet content. Most firewalls protect by performing packet inspection, monitoring packets and their sequence and/or addresses; but an application-layer firewall can examine contents, catching unsafe Active X content, bogus script code, malevolent cookies, and other threats that slip in via e-mail and the Internet.
And there's another benefit to personal firewall use: if an intruder does manage to get into a remote user's machine, vulnerabilities the user isn't even aware of can be exploited. For example, a user may feel secure if all files and folders are unshared. The sales/marketing database user mentioned above is a good example. But even if there aren't any created share points from file sharing, Windows has left that door open: there are share points for every hard drive and one for admin, and they have to be enabled or Windows won't work. A personal firewall will keep an intruder from exploiting them.
Stay away from Ad Hoc Mode
You can walk into any Starbuck's with half a dozen of your colleagues, fire up your laptops, and form a wireless LAN spontaneously with no APs and no active configuration tasks: If the laptops have ad hoc mode enabled, you have access to each other's hard drives. It's easy to be seduced by the sheer coolness of this capability, but it's better to think of it in the same way you think of riding a motorcycle without a helmet: cool, but stupid.
With ad hoc mode enabled, you can pass large files to a colleague's machine without the need for cables or a network access point—incredibly convenient, but more dangerous than you can imagine. An ad hoc machine basically has its hard drive open for business. Anybody can slip in and take what they please from that hard drive. The danger is even greater because the intruder not only has access to the open machine, but to whatever network the open machine is accessing.
Scott Robinson is a 20-year IT veteran with extensive experience in business intelligence and systems integration. An enterprise architect with a background in social psychology, he frequently consults and lectures on analytics, business intelligence and social informatics, primarily in the health care and HR industries.