Hotspot Safety for Business Users - Page 2
February 01, 2008
Help users get connected. Companies that want to pay for employee hotspot use should contract with a wireless carrier (e.g., T-Mobile, AT&T), hotspot provider (e.g., Boingo), or Internet access aggregator (e.g., iPass, Fiberlink). Subscriptions can help companies control hotspot costs by applying flat-rate fees or enforcing bandwidth limits. They can encourage use of reputable hotspots by requiring employee payment at any other hotspot. Many providers offer connection managers that automate secure login to deter password snarfing and evil twin attacks. In fact, connection managers can play a vital role in hotspot security policy enforcement. Most can auto-launch specified executables (e.g., VPN clients, host security checkers) upon hotspot connect. Some can even monitor on-going activity and disconnect if any mandatory process goes down.
Help users stay connected. Wi-Fi laptops tend to remain stationary during hotspot use, but handheld devices (like dual-mode smartphones) often do not. If you have workers who need to stay connected when moving between Wi-Fi hotspot and 3G wireless, consider equipping those devices with a Mobile VPN (e.g., NetMotion, Columbitech, AppGate). Unlike conventional IPsec or SSL VPNs, Mobile VPNs expect the client's physical connectivity and IP address to change, taking steps to provide application persistence even when the client roams into a deadspot and loses connectivity. To be clear there are many hotspot users that don't roam and don't require a Mobile VPN. However, those who do often kill legacy VPNs that get in their way. A user-friendly alternative can promote safe communication at hotspots and everywhere else.
Watch over your workforce. Many security incidents are caused by Wi-Fi transparency. It is unrealistic to expect users to avoid threats they just can't see. For comprehensive hotspot protection, complement your host firewall with a Wireless IPS agent that can stop threats at the MAC layer. Unlike a "personal" host WIPS that warns the user, an enterprise host WIPS (e.g., AirTight SpectraGuard SAFE) is controlled by a central server. That server enforces wireless connectivity rules and monitors incidents. For example, a host WIPS can stop simultaneous connection to Wi-Fi and Ethernet, preventing bridging onto your corporate network. It can stop users from seeing black-listed SSIDs, Ad Hoc nodes, or software APs. A host WIPS can require permission before connecting to a hotspot SSID or unfamiliar MAC, making users think twice before engaging in risky behaviorand letting you know when they do.
Educate your employees. Measures like these can protect workers that connect to public hotspots. Taking responsibility for security installation, configuration, monitoring, and response can reduce your risk, let you see how hotspots are being used, and enforce policy compliance. However, security awareness training is still important. Educate workers about hotspot threats and the steps you've taken to mitigate them. Explain what they must do to satisfy your acceptable use policy and consequences of non-compliance. Where vulnerabilities remain, teach workers how to protect themselves--for example, recommend how to secure personal communication and avoid accidental associations at home. Finally, listen to employee feedback and adjust your policies and implementation to deliver hotspot security AND usability.
Lisa Phifer owns Core Competence, a consulting firm focused on business use of emerging network and security technologies. She has been involved in the design, implementation, assessment, and testing of NetSec products and services for over 25 years.