Wireless laptop users offer unique security challenges. When
the remote user is a high-volume client, the challenges increase. Here’s some
food for thought.

I work with a group of client companies, all of whom keep
large armies of representatives out on the streets, wheeling and dealing. This
wheeling and dealing requires that copious amounts of product and pricing
information be available on the spot—thus these representatives are all armed
with laptops, and the laptops necessarily contain databases that must be kept
as current as possible.

You can imagine what the Nineties were like, working with
these groups: frantic calls when database updates went awry; thousands of
dial-up downloads through awkward hotel-room connections; mismatches in
software from one machine to another, and few means of keeping everyone on the
same page.

Today, with the exploding availability of wireless
connectivity, the situation is both better and worse—better, in that the means
of communicating with these machines and keeping them current have improved one
hundred-fold; worse, in that this easy communication means that the
headquarters database isn’t the only party out there that wants to reach out
and touch.

We’ll assume that
the additional security that is prudent in wireless networking is in place:
that you’re using WEP, and so on. This is important, but you’ll want to go even
further in mitigating the risks inherent in an unusually conversant machine.
Here are some steps to consider.

SSH tunneling

When your company’s
remote users are actually within your home network, Virtual Private Networking
is your choice for point-to-point secure tunneling between client and server.
When a laptop is out in the field, many states away, and the Internet is
sitting between client and server, SSH Tunneling achieves the same thing.

Commonly
characterized as a secure Telnet alternative, Secure Shell port forwarding
provides a command-line interface with certificate-based security. Ideal for
doing secure e-mail checks from your laptop when you’re on the road, SSH
tunneling is also ideal supplementary protection for remote SQL sessions. And
you can use SSH to secure ftp and POP sessions such that you don’t have to send
your passwords out over the Internet by encrypting your command channel.

For more details on
the implementation of SSH Tunneling, check out “Use SSH
Tunneling for secure B2B networking.”

Select a personal firewall with application-level features

When we speak of a
“high-volume” remote user, we’re not just addressing the roving local
database clients. There are users out there whose work entails the sending and
receiving of literally dozens or hundreds of communications a day, and who must
monitor or download information from Internet sources throughout the day.
Personal firewalls are essential security tools for such users.

Personal firewalls
do the same thing that network firewalls do, only they do it for a single
client laptop or workstation. A personal firewall is a good idea for any remote
user, roving laptop, or home-based desktop. But the high-volume client can get
an extra layer of protection by choosing personal firewall software that
specifically examines packet content. Most firewalls protect by performing
packet inspection, monitoring packets and their sequence and/or addresses; but
an application-layer firewall can examine contents, catching unsafe Active X
content, bogus script code, malevolent cookies, and other threats that slip in
via e-mail and the Internet.

And there’s another
benefit to personal firewall use: if an intruder does manage to get into a
remote user’s machine, vulnerabilities the user isn’t even aware of can be
exploited. For example, a user may feel secure if all files and folders are
unshared. The sales/marketing database user mentioned above is a good example.
But even if there aren’t any created share points from file sharing, Windows
has left that door open: there are share points for every hard drive and one
for admin, and they have to be enabled or Windows won’t work. A personal
firewall will keep an intruder from exploiting them.

Stay away from Ad Hoc Mode

You can walk into
any Starbuck’s with half a dozen of your colleagues, fire up your laptops, and
form a wireless LAN spontaneously with no APs and no active configuration
tasks: If the laptops have ad hoc mode enabled, you have access to each
other’s hard drives. It’s easy to be seduced by the sheer coolness of this
capability, but it’s better to think of it in the same way you think of riding
a motorcycle without a helmet: cool, but stupid.

With ad hoc mode
enabled, you can pass large files to a colleague’s machine without the need for
cables or a network access point—incredibly convenient, but more dangerous than
you can imagine. An ad hoc machine basically has its hard drive open for
business. Anybody can slip in and take what they please from that hard drive.
The danger is even greater because the intruder not only has access to the open
machine, but to whatever network the open machine is accessing.