Overview of Mobile Device Security VPN Policy Integration - dummies

Overview of Mobile Device Security VPN Policy Integration

By Rich Campagna, Subbu Iyer, Ashwin Krishnan, Mark Bauhaus

If you allow your mobile device users VPN access to the corporate network, you likely already have a security policy in place that describes what types of users are allowed access, including the applications that are allowed to be accessed remotely. VPN policies are typically enforced on a VPN gateway device at the perimeter of the network, with access for external users.

While shopping for VPN solutions for mobile devices, look for the following:

  • Wide range of supported mobile platforms for corporate access, such as these:

    • Apple iOS

    • Google Android

    • Windows Mobile and Windows Phone 7

    • Nokia Symbian

    • BlackBerry OS

    • Others such as HP web OS

  • Wide range of supported authentication methods:

    • Username and password-based

    • Certificate-based

    • Multifactor authentication (for example, cascading username and password-based authentication followed by certificate-based authentication, or vice versa)

    • VPN on demand (setting up a VPN tunnel automatically when the user attempts to access a corporate resource)

  • Ability to assign role-based access to users, depending on their role within the enterprise

  • Ability to assign granular access to any or all of the following types of applications:

    • Web-based intranet content

    • E-mail

    • Full network access

Depending upon your corporate policy and need for application control, you should choose between an IPsec VPN solution or an SSL VPN solution. Here is some information that can help you choose between the two:

  • IPsec VPN solutions: Enable full network access to remote users. That means users who connect over traditional IPsec VPN tunnels are granted full network access to the corporate network.

  • SSL VPN solutions: Usually allow more granular access control, enabling you to control application access to any of all of the various application types.

Choose a solution that allows you to manage mobile access control policies on this kind of a centralized VPN system that already manages remote access policies. It would be counterproductive (and very costly!) to manage duplicate or redundant policy systems.

To integrate your existing VPN policies with mobile access control, here are the key decision areas you need to consider:

  • Your mobile security solution: Depending upon what security features you need on your users’ mobile devices, choose a solution that spans a broad range of mobile platforms. You may choose any or all of the security features to enforce on mobile devices, including protection against viruses, malware, Trojans, and spam.

  • Your endpoint security posture (level of risk): You may already have an endpoint security solution on your VPN gateway allowing network access only to devices that have a sufficient security posture. You may want to extend this policy to mobile devices, allowing VPN access only to those mobile devices that are secured by the security software of your choice.

  • Your access control policies: Choose a VPN solution that can enforce a single set of access control policies, irrespective of where users connect from, or what devices they use to connect. Having a single set of policies that span across device and application types will make your life simpler.

Integration of mobile security functionality with your existing VPN solution has several advantages, such as the following:

  • Easy enforcement of mobile device security as an endpoint posture assessment check, prior to granting VPN access to users.

  • Easy enforcement of access control policies that are already defined on the VPN gateway.

  • Easy integration into the management capabilities of the VPN solution, thereby offering insights into the mobile device inventory and assets within the enterprise.