The power of the newer Pocket PCs makes them attractive to organizations for use as highly mobile extensions of the network LAN. However, their wireless operating modes make them vulnerable to "air gap" attacks which, if protective measures have not been taken, can provide unauthorized access to the network and the valuable information within. The underlying problem is the same as that faced by the "wired" world for the last decade: managing remote network access through a distrusted and hostile medium--namely, the Internet. Fortunately, the solutions developed for the wired world can be applied to the wireless PDA problem. Instead of focusing on the air-gap between PDA and access point, we can solve the PDA problem by treating the Pocket PC as just another remote network access node. In this manner, the true freedom of wireless Pocket PCs will finally be realized: Internet access that is as secure as a cabled LAN connection--without the mobility restriction.

PROTECTING NETWORK ACCESS POINTS

Wireless PDAs can and will provide a convenient gateway into the world of e-commerce. With a Pocket PC, a user can participate in online auctions, buy airline and concert tickets, order prescriptions, pay bills, and transfer balances. Anything that can be purchased while online can be bought using a wireless Pocket PC. However, the growth in such commerce will be limited until users feel comfortable that their personal and financial information cannot be readily stolen by someone eavesdropping on these wireless transactions.

To more properly protect one's vital information from prying eyes, it is vital that the data be encrypted, both while it's in the Pocket PC, and while it's in transit over the Internet. Too often, a user's entire identity sits inside his or her PDA: name, address, Social Security number, and passwords. These can all be used, in the hands of a crook, to steal the user's identity.

Using a wireless Pocket PC is a two-edged sword. Wireless access to the Internet allows us to stay connected to the office and to other users without being tied to our desks. However, our information is no longer traveling over a cable; it is being broadcast through the air, able to be picked up for listening by anyone with the right equipment.

Remote access points should be protected with end-to-end security no matter what the transport vulnerabilities are. A Virtual Private Network (VPN) creates a secure "tunnel" through which encrypted data is sent over the Internet. This is accomplished with IP Security (IPSec), a protocol suite that has strengthened and matured over the years to include features such as the Authentication Header (AH), Encapsulating Security Payloads (ESP), and Internet Key Exchange (IKE).

Another safeguard is the addition of centralized management. Managing VPNs from a Security Operations Center increases security because they are being monitored by screened and trained IT professionals, and in addition costs are reduced because the organization doesn't have to add IT/IS staff.

Interoperability standards increase security by ensuring that one end of the VPN can establish a secure tunnel to the other end even if that other end is a product from a different vendor, or on a different platform. Shortcomings in interoperability generally lead to security shortcuts being taken, and limited security (or none at all) being applied.

SafeNet's SoftRemotePDA for Pocket PC 2002 (Fig. 1) offers users all of these safeguards, because it is compatible with IPSec standards and, when combined with SafeNet's Trusted Services operations center, assures users that their information is safe inside secure, professionally monitored VPNs. Other PDA VPN vendors include Certicom, Columbitech, and Ecutel.

Fig. 1. The VPN tunnels securely through the Internet to provide access to network resources. SafeNet SoftRemote PDA is used here as the mobile client.