Secure mobility requires more than simple SSL VPN remote access

Technology has radically changed what it means to "go to work," but remote access is a far cry from secure mobility. Enterprises with WAN security in mind must think about the two in tandem.

For years, workers have been using remote access technologies to access wide area network (WAN) resources from any location and any device -- from the proverbial salesperson checking email on his personal smartphone to the midlevel manager remotely retrieving files from her laptop via a secure sockets layer virtual private network (SSL VPN) on an unsecured wireless network at a conference center. But remote access is a far cry from...

secure mobility, and enterprises must think about the two in tandem.

"We have this term 'secure remote access,' but too often what we have is remote access where the tunnel is secure," said John Kindervag, senior analyst with Forrester Research. "[Hackers] can't necessarily grab that traffic and get the payload out of it, but at the same time, anyone who's on that tunnel can do anything they want because that tunnel is not inspected."

You can't always be sure that the employee's going to fire off the SSL VPN.
Lawrence Orans
Research DirectorGartner Inc.

WAN security gets trickier once users leave the four walls of the corporate and branch offices, Kindervag said. Even when users connect via SSL VPN, there is still plenty of room for error.

Remote access creates a secure tunnel to protect data from prying eyes, but secure mobility means ensuring the legitimacy of who's using that tunnel and his or her activity inside it, he said.

"If I'm a hacker and I get credentials, I can log onto anybody's VPN and I can have 'secure remote access,'" Kindervag said. "I'm secure from other people stopping me, essentially, because I can do anything I want to on the network, and that's the scary thing."

Meanwhile, other vulnerabilities arise when employees access the Internet from devices they use for work and personal use, potentially dragging Web-based viruses and malware into the WAN, according to Lawrence Orans, a research director at Gartner Inc.

"You can't always be sure that the employee's going to fire off the SSL VPN," Orans said. "If I check into the hotel and the first thing I do before meeting with my client is check my fantasy football team, I'm obviously not on the SSL VPN."

Secure mobility still a hurdle for many enterprises

For many enterprises, secure mobility is not even on the radar, Orans said. Those who are looking to tackle it are pursuing cloud-based gateways, he said.

"A lot of them aren't dealing with it right now. A lot of them are focused very much on securing workers on premise -- within the four walls," he said. "We're getting a lot of questions about mobile workers, and the people who are taking the early steps there are turning to some of the security-as-a- service offerings."

Instead of barricading itself with firewalls, one German reinsurance company is instead looking at deperimeterization to secure its remote and mobile workers across Europe and North America, according to Peter Bishop, IT manager at Munich RE.

Although he had hoped to use an IPsec-based solution, good management tools are scarce, Bishop said. He is vetting some remote access products from Juniper Networks, looking for the right combination of strong protocols and encryption methods to improve WAN security and cut costs.

"Initially, we were interested in the topic as we wanted to save money by taking out or reducing the DMZ," Bishop said. "The whole system is being reviewed as we are consolidating several data centers."

Cisco's "Borderless Networks" vision is all about secure mobility

Users can get frustrated with or discouraged by their enterprise's clunky VPN client, compromising any chance of achieving secure mobility, according to Fred Kost, director of marketing for security solutions at Cisco, which recently announced its "Secure Borderless Networks" vision.

As part of its combined software and hardware package due out later this year, Cisco's AnyConnect Secure Mobility client installed on smartphones and laptops would keep them permanently connected to the VPN.

Cisco's software also allows administrators to institute some policy controls, such as automating, limiting or revoking access to Software as a Service (SaaS) applications, Kost said.

Internet traffic from the device would then hit the Web gateway, Cisco's Adaptive Security Appliance (ASA), ensuring that any Web browsing on a mobile device doesn't track footprints back to the WAN, he said.

The third part of the equation is TrustSec, a group of products that now includes Cisco's network access control (NAC) and its identity-based networking service (IBNS) appliances -- bringing them into the fold with its other access control products.

Early demonstrations of Cisco's offerings were "impressive" but incomplete, according to analysts. Kindervag said secure mobility will require more protection from "insider" attacks and Web 2.0-based threats.

"This stuff kind of deals with going to a bad website, but that's sort of a Web 1.0 thing," Kindervag said. "Clearly, it's the first step to something bigger, as it always is with Cisco, so we'll have to see how it evolves and matures over time. But this is going to become something a lot of IT managers are going to be interested in because it's going to ease some of their support burden related to remote access."

"I'd say it's a strong announcement, but overall, there's some work to do," Orans said. "When you talk about mobile workers, you need to deliver a unified console."

Let us know what you think about the story; email: Jessica Scarpati, News Writer

Dig deeper on Remote access

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

-ADS BY GOOGLE

SearchNetworking

SearchUnifiedCommunications

SearchTelecom

SearchSDN

Close