PDAStreet: Features: Handheld Security: Part V – Enforce Policies, Keep Network Safe

Internet.com's premiere site for mobile managers and IT professionals is where wireless meets business. Our expert analysis and tips will guide you in buying, deploying, securing and managing mobile technology in the enterprise. You'll find strategic analysis, best practices, news, buyer.s guides and practical advice on how to evaluate and support a wide range of devices in the workforce.

PDAStreet.com > Features > Handheld Security: Part V – Enforce Policies, Keep Network Safe

Handheld Security: Part V – Enforce Policies, Keep Network Safe

By Laura Taylor
March 29, 2005

After much resistance, you've finally decided to allow your employees to connect their cell phones, personal digital assistants, and smartphones to your corporate network. From an operational standpoint, you've already set up provisions for a handheld VPN client for users to make use of and have made handheld firewalls and anti-virus software available to them.

The only thing you have left to do before you give the green light for launching the new functionality and privileges are the security policies that need to be put into place.

What security policies should you make your users and administrators adhere to regarding the use of handhelds?

In this article, Laura Taylor helps you draft some handheld interconnection policies.

Justification for Security Policies
While you shouldn't have to justify the need to put into place security policies for mobile devices, you still might find yourself doing just that. Some folks in your organization may even not understand why security policies for handhelds are even necessary.

Here is what you should tell them:

Some handhelds are simple cell phones that pose few risks to your network. Smartphones, PDAs, and cell phones with Bluetooth, on the other hand, expose your network to the same types of risks as desktop computers.

There are viruses, worms, Trojans, denial of service attacks, session hi-jacking, IP spoofing, and password sniffing.

Like desktop and laptop systems, handhelds are most likely to propagate viruses through e-mail. Today's PDAs and handhelds can send and receive e-mail through either a direct connection (via dial-up or VPN) or through Web browsers.

The more ways the mobile handset or PDA can connect to the online world, the more vulnerable they are. Many of the latest handhelds connect to the online world via multiple conduits such as:

Through the Web

Through dial-up

Through VPN

Through CDMA, TDMA, or GSM

Through WiFi

Through Bluetooth

Through HotSync

All of these conduits are potential paths and openings for viruses, Trojans, and password sniffers. By following your corporate security policies, not only will end-users help protect your expensive corporate infrastructure, they will also help protect their expensive mobile device.

Whether handhelds are purchased by end-users out of their own pocket, or by your corporation or federal agency, you need to ensure that the end-users abide by rules and regulations to keep your enterprise networks safe.

If you are a federal agency and are striving to get good scores on your FISMA Cyber Security Report Card, you'll need end-user Rules of Behavior that include handhelds.

Policies for End-Users
Your organization's end-user policies—often referred to as Rules of Behavior—will vary according to your unique infrastructure and requirements. You need to obtain acknowledgement from your end-users that they will agree to abide by these policies.

Acknowledgement can be obtained either online through some automated mechanism, a simple e-mail, or a signed piece of paper.

These are the types of behaviors you want your end-users to agree to, and they are written as though they were written for end-users to read:

I agree to make sure my cell phone, PDA, or smartphone is password protected

I agree to use a password that is 8 characters in length with mixed case characters

I agree not to share my password with anyone

I agree to report any suspicious behavior noticed on my handheld to the HelpDesk

I agree to make sure that any sensitive corporate information that I put on my mobile device is encrypted

If my handheld is stolen, I agree to report to security and IT as soon as possible

I will ensure that I use the secure remote access VPN to connect to the corporate network for the purpose of checking e-mail via my handheld

I agree to disable HotSync/ActiveSync when not using it

I agree to make sure that the most up to date security patches are installed on my handheld

I agree to keep an anti-virus client installed on my handheld if I am going to connect it to the corporate network

I agree to keep the anti-virus signatures on my handheld up to date

I agree to keep a handheld firewall installed on my handheld/PDA if I am going to connect it to any system on the corporate network

I agree to use the security policies on my handheld firewall that are recommended by the corporate security team

If a handheld firewall is not available for my PDA platform, I agree not to connect it to the corporate network

If I use Wi-Fi, I will ensure that WEP is enabled and I will only connect to wireless networks configured with WEP

I agree to protect Classified Information with encryption and data wiping software

Remind your users is that though these steps may appear restrictive, taking these precautions will help ensure that their expensive handheld device does not get sabotaged by viruses, Trojans, and unauthorized users.

Policies for Administrators
Administrators need to ensure that operational provisions for handheld users are put in place, so your business needs should require that end-users and administrators are held accountable for doing the right thing.

Not only that, policies set standards.

So administrators should not have to wonder what rules they are supposed to follow when setting up an account. Having policies for systems administrators also ensures that all of the accounts are being set up the same way.

The policies should be clearly spelled out so that the administrators understand exactly what it is that they are supposed to do. To be sure, you should include the systems and security administrator in helping you define both the end-user policies and administrator policies.

Administrators should advise end-users on how to configure their handheld firewall. HotSync uses TCP and UDP ports and ActiveSync uses TCP ports to synchronize.

End-users need to know whether these ports can be enabled or not. When TCP and UDP ports are open hackers may attempt to connect to these ports during this time.

While policies will vary from organization to organization depending on your infrastructure and requirements, below are some examples of sample policies for handhelds that would be appropriate for system administrators:

No end-users shall receive handheld access to the network without first agreeing to the End-User Rules of Behavior

End-users shall be given a list of which handheld operating systems are allowed on the network

All handheld users shall be setup with a secure remote access VPN client to connect to the corporate network

End-users shall be advised as to which anti-virus client to use

End-users shall be advised as to which handheld firewall to use

All desktops or laptops that use HotSync or ActiveSync shall have a personal firewall installed on them

End-users with handhelds shall be advised as to how to setup up the rules file on their handheld firewall

Handheld firewalls shall be configured to only allow network traffic to/from given corporate IP adresses and all other IP addresses shall be blocked

Handheld firewalls shall be configured to only allow certain port numbers open

Handheld firewalls shall be configured to log security events and send alerts to security-manager@company.com

All handheld users shall become part of the group or netgroup associated with handheld access

The handheld group or netgroup shall be configured and registered with ActiveDirectory or LDAP

Handheld groups and netgroups shall not be given access to sensitive corporate resources

Handheld groups and netgroups shall be setup to restrict access privileges to only those services and systems required

All corporate firewalls shall restrict handheld groups and netgroups from sensitive IP addresses and network ranges corporate networks and systems

Handheld security policies should be automated as much as possible by configuring restrictive settings that affect handhelds into firewalls, VPNs, intrusion detection systems, and directory servers

Hopefully reviewing these fictitious policies will help you understand the types of security policies that are needed on enterprise networks.

Administrators should become familiar with which ports ActiveSync (Windows Mobile) and HotSync (Palm) use so that handheld firewalls can be properly configured. Table 1. indicates which TCP and UDP ports ActiveSync and HotSync use.

Table 1. TCP and UDP Ports Used by ActiveSync and HotSync

TCP Ports Used

UDP Ports Used

ActiveSync

990, 999, 5678, 5679

---

HotSync

14237, 14238

14,237

The Upshot
The more powerful and more versatile mobile device become, the more your users will want to use them. Viruses and worms for these devices, however, are proliferating at increased rates.

So like desktop computers, handhelds are susceptible to port scanning, denial of service attacks, session hi-jacking, spoofing, theft of information, and theft of the device itself. In addition, many end-users store passwords, credit card information, and sensitive company information in personal databases on their PDAs, smartphones, and cell phones.

As a result, when you allow workers to connect their handhelds to the corporate network you are putting the enterprise at risk. That's why precautions are so important.

Ensuring that both end-users and administrators use specified security policies is one way to mitigate risks. The security policies should be reviewed on an annual basis and refined and updated as needed. And the company security officer should be held accountable for ensuring that the security policies are enforced.

Whitepapers and eBooks

Microsoft Personalized Whitepapers and Resources for You
Article: Why Migrating from MySQL to SQL Server 2008 Makes Sense
Articles: Build a More Agile Business with IBM
Articles: IBM Offers Enhanced Measurement and Management for Energy Usage
Microsoft Article: Windows 7 Features Your Clients Will Need on Day One

Articles: IBM Helps Transformation to an Information-Based Enterprise
Microsoft Articles: Visual Studio 2010
Adobe Article: Java Developers Finding a Home at Adobe Flex
MORE WHITEPAPERS, EBOOKS, AND ARTICLES

Webcasts

Webcast: Connecting PHP to Microsoft Technologies
Video: Windows Azure Debugging Tips

MORE WEBCASTS, PODCASTS, AND VIDEOS

Downloads and eKits

Ready. Set. Windows 7.
HP PartnerONE | SolutionsINFINITE Visit us at hp.com/partners/us
Microsoft Free Trials: Windows Server 2008 R2, Exchange Server 2010 and Windows 7
Get the Windows 7 SDK

Free Trial: Red Gate SQL Backup Pro 6
Iron Speed Designer Application Generator
MORE DOWNLOADS, EKITS, AND FREE TRIALS

Tutorials and Demos

Learn Unified Communications
BlackBerry Application Development Resources
Learn SQL Server 2008
Learn Windows Server 2008 R2
Internet.com Hot List: Get the Inside Scoop on IT and Developer Products

Learn Forefront
Learn System Center
All About Botnets
Learn SharePoint
MORE TUTORIALS, DEMOS AND STEP-BY-STEP GUIDES