Home » Data Protection » Wireless/Mobile

Basics

Wireless Security: The Basics

Encryption and authentication are the fundamentals of wireless security - here's your guide.

By Galen Gruman

Page 3

If you're using 3G networks — such as the cellular carriers' EVDO and HSDPA networks — you can relax a little on security, says Maiwald. These networks handle authentication and encryption, so issues such as WPA authentication and SSL encryption for email are essentially handled for you. But as such networks gain in popularity — and new ones such as WiMax and the 700MHz spectrum are deployed — you can expect hackers to start looking for ways in, so it makes sense to apply a consistent security strategy to all connection channels, even if the means to achieve it may vary based on the specific channel, Maiwald says.

Dealing with handhelds
Mobile devices should use the same standards as laptops, .and they should also support data encryption—so that if a device is lost or stolen, it's data can't be easily accessed, Kocher says. This also applies to removable media and laptops. ' Other requirements include strong passwords (not four-digit PINs such as on the iPhone) that can be managed centrally by IT. Strong passwords are particularly important for mobile devices because they can more easily be lost or stolen, and because they tend to use less capable security approaches due to their limited processing power, they are easier to crack, he adds.

For laptops (and home PCs used for work), Kocher recommends whole-disk encryption so there's no question as to what had been encrypted if there is a breach. It doesn't matter whether the encryption is built into the operating system, such as with Windows Vista's BitLocker, or comes from a third party, such as the commercial PGP or open-source TrueCrypt.

The problem is that most mobile devices don't support these various security approaches (encryption, strong passwords, VPNs and more), or at least not all of them. The BlackBerry does, which is one reason it is so popular in the enterprise, says Jon Allen, information security office at Baylor University in Waco, Texas. Apple's promises for the iPhone 2.0 software indicate it may come close, "but the jury's still out," 'Maiwald says. Windows Mobile 6 offers most of these capabilities when managed from Windows Exchange Server 2007, and vendors such as Bluefire Security Technologies in Baltimore, Md., Motorola' Good Technology Group and Sybase, Inc. offer an array of tools to add to many Windows Mobile and Palm devices.

It's also important to consider potential security holes when evaluating specialty mobile devices,—such as wireless meter readers, airport baggage claim scanners, package scanners and retail kiosks—Maiwald warns. At Baylor University, Allen saw this issue surface in its point-of-sale terminals, which "hadn't anticipated wireless" in their original security designs, he says. When the university added wireless connectivity,"we had to button that down," he says.