Establishing Digital Trust: Don't Sacrifice Security for Convenience
A growing number of administrators are concerned over how to manage corporate laptops at public hotspots. And soon, many enterprises are likely to face the prospect of managing additional wireless technologies beyond mere Wi-Fi.
Customers ranging from Sears to Schlumberger are already implementing customer service or sales applications with major wireless WAN (wide area network) components. Meanwhile, hardware vendors are eyeing PDAs with 802.11 as well as Windows XP management functionality.
Schlumberger's entire US sales force is now using a PDA-based CRM application that operates over Sprint's wireless network, according to John Tombari, Schlumberger's VP of sales.
Along with Sprint, Verizon is another telco that's actively working with enterprise customers around data applications in the WWAN space, notes Tim Bajarin, president of the analyst firm Creative Strategies, Inc.https://o1.qnsr.com/log/p.gif?;n=203;c=204650394;s=9477;x=7936;f=201801171506010;u=j;z=TIMESTAMP;a=20392931;e=i
Protecting Hotspots – VPNs, Personal Firewalls, and Encryption
Right at the moment, hotspots pose some challenges to enterprise administrators, industry analysts agree. Warren Wilson, an analyst at Summit Strategies, hints at major potential for signal interference. "As wireless hotspots proliferate, we'll see more signal interference among neighboring wireless networks. 802.11b also plays in the same frequency range as devices such as microwave ovens and certain cordless phones. These are some of the things that will drive adoption of 802.11a," Wilson predicts.
Security issues, though, will be relatively simple for enterprises to handle, according to Wilson, although the analyst readily acknowledges that Wireless Encryption Protocol (WEP) can be problematic.
Like other encryption technologies, WEP is supposed to “scramble” data so that it can’t be read by unauthorized eyes. WEP encryption, though, is widely acknowledged as being easy to break. One big problem is that WEP uses the same key for encrypting and decrypting all data on the wireless link. Moreover, many end users – and some administrators – never even bother to enable WEP at all.
"Public hotspots, however, are not being installed by amateurs," points out Wilson. "If your organization has a VPN in place, with personal firewalls on end users' laptops, then your users should be well protected."
Furthermore, hotspot purveyors will be staying up-to-date with the latest available security improvements, according to the Summit analyst. "We'll see pretty broad support [at public hotspots] for newer encryption technologies such as WPA, 802.1x, EAP, and LEAP."
Indeed, some of these technologies are already getting support from vendors, and several Wi-Fi products with improved security for homes and small businesses are available now. Microsoft's new Wireless-G family of 802.11g devices, for example, was unveiled this week in New York City and comes with built-in support for WPA.
Like Summit's Wilson, Brian Moran, marketing manager for AirDefense, also advocates the use of VPNs in conjunction with personal firewalls. Specifically, he says, "when VPNs are used for connecting back from a public hotspot to the enterprise network, split tunneling should be disabled," he advises.
Moran offers these additional tips and tricks for protecting access to enterprise networks:
- Ensure that the wireless card remains in "infrastructure only" mode
- Turn off ad hoc networking on laptops
- Clear the list of preferred networks. "Windows XP uses this list to actively probe and broadcast corporate and home service set identifiers (SSIDs)," according to Moran.
- Disable file and print sharing
Choice of Net Will Depend on the App
"For most companies, 802.11 provides adequate wireless [capabilities] for now," Bajarin theorizes. Ultimately, though, an enterprise's choice of wireless networks will depend on the needs of its applications, according to the mobile/wireless analyst.
Schlumberger and Sears are two companies that are already finding this out. Schlumberger's on-the-road salespeople are able to use Sprint's essentially ubiquitous cellular network, thereby avoiding the need to hunt down an 802.11 hotspot situated somewhere nearby.
Why? Schlumberger's app is designed with small network bandwidth in mind. "Sprint's network is just fine for the CRM data the salespeople are sending," maintains Schlumberger's Tombari.
On the other hand, as a security precaution, Schlumberger is confining the PDA-based app to use within U.S. borders.
Sears – Three Shades of Wireless in a Mobile Van
Giant international retailer Sears, on the other hand, is taking a hybrid approach to wireless. Sears home appliance repair specialists now drive mobile vans equipped with private Wi-Fi hotspots, together with both WWAN and satellite-based wireless technologies.
On the business side, Sears' goal with the implementation is "to take our customers to the point where they want to go out and promote repair services in the backyard to their neighbors," said David Sankey, director of process and technology development for Sears Product Repair Services, during a conference session at DCI's recent CRM show in New York City.
Sears' current implementation has been many years in the making. In 1991, Sears started using the 800 MHz ARDIS wireless network for data communications with its remote technicians. Back then, Sears created Handheld Terminal (HHT), a mobile app designed for use on IBM PC Radio systems hooked up to ARDIS. Sears kept using HHT even after ARDIS was acquired by American Mobile. In 1999, though, the retailer began to augment ARDIS with a link to Norcom Network Corp.'s satellite systems.
Last year, Sears began testing a revamped app, known as the Sears Small Toolbox (SST). In SST, the technicians' mobile VANs are equipped with 802.11 hubs, as well as antennae enabled for both American Mobile and the satellite link. Full rollout to Sears' 13,000 repair people started earlier this year.
On a day-to-day basis, technicians now use American Mobile for uploading and downloading information about schedule changes and repair parts, for example. By accessing the corporate VPN over Wi-Fi, they're able to find out if a needed refrigerator part is available directly from their laptops, without leaving the customer's home. Otherwise, a technician would either have to step outside to the truck, place a cell phone call from inside the house, or even worse, "ask to use the customer's phone," Sankey said.
The technicians also use the system's GPS capabilities to plan the best routes for getting to customers' homes.
The more costly satellite link comes into play "only when necessary" — mainly when trucks move out of American Mobile's coverage range, according to Sankey. "You need to be sensible" with respect to the costs versus the benefits, he recommended.
The SST app runs on ruggedized custom laptops from Itronix, outfitted with touch screens. Wireless Matrix provides the van antennae, as well as outsourced remote monitoring and asset management for Sears. Wireless Matrix, by the way, purchased Norcom in 2001.
Public Hotspots Learn to Fly
Mobile vans aren't the only mode of transportation now playing host to Wi-Fi hotspots. Lufthansa Airlines, for one, will soon launch hotspot services on airplane flights. Lufthansa is installing Boeing's Connexion mobile information service on 80 of its aircraft, officials said, during a recent knowledge management conference sponsored by Basex.
Meanwhile, Wi-Fi start-ups like Cometa and Waveport are dotting the firmament with hotspots in brick-and-mortar establishments such as hotels, fast food joints, and Starbuck's cafes.
Pick Your Wireless-enabled Weapon – Laptops or PDAs?
PDAs will be used at hotspots, too. Broadcom last week demoed a prototype in New York City showing use of one of its new chips in a small and light PDA architecture. The prototype combines Wi-Fi with a second wireless technology – such as Bluetooth – in a single piece of silicon.
Next year, several Pocket PC vendors plan to release PDAs based on a Windows XP-based architecture from Microsoft. Instead of requiring applications written for relatively "niche" OSes – such as PocketPC or PalmOS – PDAs will soon be able to run standard XP fare. As a result, enterprises interested in PDA deployment will be spared the expense of custom development, according to Bajarin.
Furthermore, Windows shops should soon be able to use the same .NET technologies for administering PCs and PDAs alike. Other vendors, such as Sharp and G.Mate, are making a play with Linux-based PDAs.
However, the operating environment isn't the only factor to look at when choosing between PCs and PDAs for remote wireless access.
Sears took a hard look at both options, deciding on laptops for a different set of reasons, according to Sankey. "Our application is relatively thick," he said. To reduce demands on wireless links, Sears supplies its repair staff with DVDs containing 90,000 part diagrams each. Downloads are only required for updates on parts.
Sears' current implementation, however, is not exactly set in stone. "We do periodic technology reviews, and make changes accordingly," Sankey said.
So, securing laptops for public hotspots is only the beginning. Over the next few years, enterprises will face increasing numbers of new remote access scenarios. Your best bet is to start preparing now, by learning all you can about these and other emerging options for mobile/wireless communications and management.