Security on the Go

Oct 1, 2005 12:00 PM, BY ERIN SEMPLE

Wireless LANs at airports and hotels can present high risk, since they can easily be spoofed. A laptop connecting in such a location may be subject to probes and scanning, file shares may be compromised, and interlopers can even piggyback on VPN sessions to gain trusted access to sensitive information.

Such concerns prompt users to take action. “We wanted to mitigate the risk of information theft, and prevent the inadvertent introduction of malware into our environment,” says Brenda McClure, director, computing environment and enclave defense for the U.S. Department of Justice. “For example, what if somebody plugs into the network and it turns out there's a virus on their system or thumb-drive? Since it came into our network directly, it has bypassed our Internet gateway and firewalls.”

McClure turned to Senforce Wi-Fi Security (SWIS), Draper, Utah, to ensure that broadband connections are protected through mandatory VPN usage; to prevent unauthorized peer-to-peer connections; and to ensure that access through public wireless hotspots is protected.

“Other products did not protect adequately against protocol-level attacks,” McClure says. “Also, we were concerned about the use of removable storage devices, like USB thumb drives or rogue connections.”

The product offers complete control over the users' Wi-Fi connectivity experience. Policy-based controls manage the usage of all Wi-Fi network adapters, including built-in wireless radios and wireless broadband cards, prevent Wi-Fi connections to “rogue” access points and can disallow Wi-Fi usage when users connect to a wired network.

With SWIS, telecommuters enjoy the same level of security protection as users behind the corporate firewall, even when they connect through unmanaged network infrastructure or public access Wi-Fi hotspots.

It consists of five high-level functional components: Policy Distribution Service, Management Service, Policy Editor, Client Location Assurance Service and the SWIS Client. Each integrated component is installed separately and centrally managed by an enterprise IT administrator.

The solution is invisible to users. They need never know the key to automatically connect to the secure access point, preventing possible re-distribution of the keys to unauthorized users. Endpoints connect only to secure access points, keeping users, data and communications more secure by eliminating the security threats associated with unencrypted Wi-Fi connectivity.

Of the five components, Policy Distribution Service is responsible for the distribution of policies to the SWIS Clients and retrieval of reporting data from SWIS Clients. It can be deployed outside the enterprise firewall.

Management Service is responsible for user policy assignment and component authentication; reporting data retrieval, creation and dissemination of SWIS reports; and policy storage and creation. Management Service is installed behind the firewall. Policy Editor is a visible user interface, which can run on a workstation residing inside the corporate firewall or directly on the Management Service. The Policy Editor is used as both the management console for the Management Service, and to create and manage user and group policies.

Client Location Assurance Service (CLAS) provides a cryptographic guarantee that SWIS Clients are actually in the work location, as other existing network environment parameters indicate. CLAS is installed behind the corporate firewall.

The SWIS Client is responsible for enforcement of the distributed security policies on the endpoint system. The SWIS Client is installed on all enterprise PCs that may travel outside the corporate perimeter and/or require additional security checks while inside the firewall. SWIS Features include: Global Wi-Fi Control; Access Point Control; Rogue Access Point Control; Location-based Wi-Fi Connectivity Control; Wi-Fi Adapter Control, Senforce's patent-pending AdapterAware; and VPN Enforcement.

“It is of paramount importance to have central control over policies related to compliance. Senforce provides a central view of our environment,” says another user, Ted Shelkey, assistant director of information systems security for U.S. Attorneys of the U.S. Department of Justice. “We can push policies out, enforce them, and generate audit reports that show how we're in compliance with FISMA. We now have the ability to control security policies automatically, where none existed before.”

Want to use this article? Click here for options!
© 2008 Penton Media Inc.

Most Recent Story

• Attack At The Mall
• Alabama Gets Virtual
• Eyes All Around