Unfortunately, you most likely have such systems: your mobile users. Whether it's your sales force, world-traveling executives or just a user "working from home," these people are separated from all of your inner defenses and are at the mercy of their surroundings. You need a strategy to ensure their systems and their data is as safe on the road as they are in your own borders.
A layered defense
The best way to safeguard the mobile user is to use the same approach as you would when securing your network: use layers. You have to worry about the physical system security, network security and data security - it just so happens that it's all in one, compact, portable package: convenient for the attackers, not so convenient for those who need to manage those systems.
Your first concern is protecting the physical asset, which is most likely a laptop or notebook computer. To do that, you should give Josh Ryder's article on Laptop Security [ref 1] a good read. He has advice on keeping the laptop safe from theft and also on basic security measures, such as BIOS passwords. This step is akin to putting locks on the doors to your buildings.
Once you've secured the physical device, you need to switch gears and look at the other areas to secure: network, application/operating system and data.
Mobile network security in a connected world
Even when your users are mobile, they expect to be able to check e-mail, exchange files and have web access on-the-go. In the past, this would have probably meant dialing into the corporate network remote access service via modem or using a direct ISDN connection. Security was "easy" in those days. Now, most organizations find that it is much more cost effective to let companies like iPass [ref 2] manage the connections - which are usually dial-up, broadband or WLAN Internet hookups - and provide access to corporate systems and data in some other fashion (e.g. SSl/VPN). If you don't have a unified access provider like iPass, users can still take advantage of solutions from services such as Boingo Wireless [ref 3] & T-Mobile [ref 4] and mobile campgrounds in hotels, Starbucks and Borders to make that first connection to the Internet. And that's where the trouble begins: you have a workstation (most likely running a flavor of Microsoft Windows) directly on the Internet, ready to be attacked by every worm, virus and hacker that is plaguing the network address block they were assigned to. Your internal systems are protected by one or more firewalls and that's exactly what is needed here: a personal, mobile firewall.
Starting with Windows 2000 and continuing with Windows XP, Microsoft has included a basic firewall with every system that is capable of performing the most important task required of a firewall: keeping the bad packets out. However, there are limitations when using the built-in firewall. Users have to really know what they're doing if they want to do anything beyond blocking all incoming packets. Furthermore, there is no decent GUI to manage the configuration, no built-in reporting tool to examine logs and troubleshoot problems and there is no easy way to deal with users who go back and forth from the road to the office (NOTE: it is easier with XP to create GPO/domain-based rules, but it still is not straightforward).
Ideally, the mobile user shouldn't have to know about firewalls at all. They want their mobile experience to be the same as it is on the inside: plug it in and work. Desktop administrators would also prefer that the users not know about the firewall at all, or at least not be able to modify the configurations. There are quite a few personal/desktop firewall products to choose from. Traditional network firewalls employ various methods to allow or deny network access and have strengths and weaknesses in various areas, especially depending on the type of firewall. Desktop/personal firewalls are no different. Here are some elements you should look for:
The link for this article located at securityfocus.com is no longer available.
