 |
|
Roaming the WorldNever LapLink and Drive! The role of the "Road Warrior" is a difficult, lonely, and often dangerous one. Well, OK. Perhaps it’s not that dangerous (unless he tries to use both notebook PC and mobile phone while doing 80mph in the outside lane of the M25). But difficult and lonely? Certainly. The jet-setting life, flying around the world to myriad exotic locations and staying in 5-star hotels (or driving round and round the M25 and staying in Travel Lodges), soon becomes workaday and our intrepid hero is left with the mundane issues of submitting reports on time, picking up e-mail, voice and fax messages, and making sure that the copy of Doom on his laptop has all the latest updates. The "difficulties" facing the mobile executive today are often brought about by the very technology introduced originally to make his life easier. In the office he has access to advanced e-mail and voice mail systems, but how does he access these from a hotel in Bora Bora? Whilst at his desk, he has the use of custom-built client-server applications pulling the latest data from the central corporate databases, but how does he run these from a car park in Watford? When is a Network Card Not a Network Card? There are numerous remote access application on the market which require some sort of "host" PC within the corporate network to which the remote client can connect to perform the necessary file transfers, data synchronisation operations, and so on. Products like LapLink from Travelling Software provide the means to run database applications, transfer files, synchronise data, remotely control a PC, read and send e-mail all with a single application – and even over the Internet. Such applications have come a long way from their humble "file transfer" beginnings, when it was necessary to connect the two PC’s directly with a piece of cable. But for those who require something that more closely resembles their normal network connection from the days when they were deskbound, then how about the ability to turn their PCMCIA modem card, ISDN TA or cellular phone into a network card offering a true bi-directional network connection? This can be accomplished with the Apollo Emulator from Brand Communications (01480 442100), a piece of software which fools the operating system into thinking that any serial device attached to the PC is actually a shared memory network card. Any serial device which responds to the standard Hayes AT command set will work with the Apollo - simply load your standard network drivers on top of the Emulator, and your network connection can then be made over a high-speed ISDN link, a standard PSTN line using any modem, or even using a GSM phone. Advanced spoofing and error correction capabilities are built in to the product to keep connection time to a minimum and maximise reliability. Data compression is also employed (with ratios of up to 9:1 reported), and communications speeds of up to 230,000bps are supported under Windows 95. Where you don’t need to be on-line all the time, however, RemoteWare from Xcellenet (01494 558000) provides more sophisticated interaction between client and server. RemoteWare uncouples user activity from communications and system administration events such as e-mail transfers, file transfers, software distribution, database queries, database replications, and Web page downloads. By allowing such activities to be performed entirely off-line and queuing the resulting requests for bulk transfer, RemoteWare maximises the efficiency of remote enterprise intranetworking solutions by minimising connect time. With RemoteWare, users and administrators do most of their work off-line. RemoteWare agents, resident both at the central site and on the mobile PC’s, then store all requests for data transfers, file transfers, SQL queries, e-mail transmissions, print jobs - in fact anything which can be performed by either the client or the server. When the occasional connection is made, RemoteWare agents residing on both the client PC and on a server at the central site forward application-driven data to the central site resources, route data from those resources back to the user, and perform system administrative and management tasks initiated by the server. In this way, RemoteWare services the combined information exchange and management requirements of all applications with a single call. This co-ordinated data delivery puts the user effectively in touch with information resources, without the need for continuous or frequent connections. Nor is it necessary for a user to remain connected during a complete database query operation. In a typical scenario, a user will enter the SQL query parameters, and the transaction will be stored until the next connection. At this point, the query is transferred to the RemoteWare server, and the connection can be dropped immediately. The query is processed and the results stored at the server until the next time that user connects, at which point the results are transferred. To keep frustration to a minimum, RemoteWare provides a high degree of data compression and excellent error-recovery during transmissions. The checkpoint restart facility allows you to recommence an interrupted transmission from the point the connection failed – so if you had already transferred 24MB of that 25MB file when the line goes down, the next time the connection is established only the remaining 1MB is transmitted. Firewalls, Firewalls Everywhere – I Hope! Of course to provide comprehensive access to your remote workers in this manner also poses a significant security threat to the company's network, and demands new facilities from network security systems which "traditional" firewalls cannot address. One such problem area is security for external interaction with business systems on the internal network – a vital requirement for effective remote access. While the standard firewall architecture provides an effective solution to the problem of unauthorised access, it can frequently hinder the use of the Internet for anything other than basic functions such as Web browsing or simple e-mail. Many users are beginning to come up against the limitations of traditional firewalls, making it difficult to expand the usage of the Internet into other areas of the organisation. The main problem is that they were originally built as one-way devices, designed to block all incoming connections and effectively keep people out. With the growth in remote working, however, it is increasingly important to allow effective two-way conversations to occur between two authorised parties through an otherwise secure firewall. The issue now becomes how to provide a secure, fine-grained access-control and encryption channel between specific users and applications outside the firewall and the corporate application software behind the firewall. This needs to happen in order to support client-server applications across the Internet, but it needs to happen in such a way that allowing remote users to communicate with a protected network via the firewall does not at the same time open a channel which potentially could be exploited by unauthorised users. When linking two sites together across the Internet, we can make use of the Virtual Private Network (VPN) feature offered by most of the firewalls currently available. The drawback is that it requires a firewall at each end, and is thus only of use when connecting sites or organisations. Effective remote access requires that we provide a temporary link between the remote employee and the corporate network which is equally secure, yet is created and removed dynamically. This can be achieved using special client and server-side software which works with the firewall to provide such dynamic links – typical examples of this sort of solution are Twister from Brokat UK (07000 27 65 28) and SmartGate from Internet SmartWare (0181 574 9545). SmartGate, for instance, acts as a gateway to the private network, protecting the privileged resource and only allowing access to users who present a validated pass. The pass, or user credential, is validated by means of a user-token that can range in relative strength from a simple password to smart cards or X.509v3 Certificates. Once the user has been authenticated, the resulting link through the firewall is fully encrypted using 56-bit DES or RC4. A similar, hardware-based solution is provided by 3Com’s Tunnel Switching architecture, which is also intended to provide a secure, Internet-based remote access solution for both server-server and client-server environments. Get Smart Both Twister and SmartGate support the use of smart cards, which are ideal as providers of tamper-resistant storage for protecting private keys, account numbers, passwords, and other forms of personal information. They also serve to isolate security-critical computations involving authentication, digital signatures, and key exchange from other parts of the system that do not have a "need to know." For instance, with the SmartGate product, the client key never actually leaves the smart card during the initial mutual authentication phase when the client and server are creating the secure link. Instead, all the necessary responses are calculated and encrypted within the card and then transmitted directly to the server software. Smart cards also provide a level of portability for securely moving private information between systems at work, home, or on the road. These factors combine to make smart card technology suitable for a wide range of applications for the general public such as customer loyalty schemes, electronic banking, telephone cards and electronic purse (e-cash) applications. In addition to such general-purpose applications, however, smart cards also have a niche to carve in the work place, since they are capable of enhancing software-only solutions such as client authentication, single sign-on, secure storage, and system administration. This makes them suitable for both physical and logical access control applications in the enterprise. By personalising the smart card with the holder’s name and photograph, it can act both as a general purpose employee ID card (for visual recognition) and an access control mechanism. Physical access to a building or specific rooms can be effected using smart cards in conjunction with door-mounted card readers, PIN numbers, and – for the more security conscious organisation – biometric data such as retina, voice or fingerprint scans. Once physical access has been granted, logical access control can also be handled by smart cards through the use of PC-based card readers. Since a range of passwords and user-specific details can be stored securely within the card, they can be used to provide network access, single sign on, and even "hot desking", where the user’s customised desktop "follows" him automatically from PC to PC. Web Access Sometimes, all that is required on the road is for seamless access to corporate e-mail systems, and the most effective means to provide that is over the Internet. Infinite Interchange – from Infinite Technologies (+1 410 363 1097) - provides universal remote access to LAN-based e-mail systems from anywhere Remote users can access the corporate e-mail network over the Internet or an Intranet using a variety of different means, such as IMAP4, POP3, SMTP, and Web/HTTP. Although supporting a wide variety of e-mail applications and protocols – including BeyondMail, cc:Mail, DaVinci eMAIL, ExpressIT! and Microsoft Mail - Infinite InterChange can also run as an independent SMTP-based e-mail server, supporting IMAP4, POP3, and Web/HTTP clients, without requiring an existing e-mail platform. One configuration might be a Microsoft Mail post office with local users on the LAN who use Microsoft Windows Messaging. Remote users can connect back to the Microsoft Mail post office through Infinite InterChange using a Web browser like Netscape Navigator or Microsoft Internet Explorer, or an e-mail client that supports POP3 or IMAP4, such as Pegasus or Eudora. With Infinite InterChange running in the background, all of these users can access the Microsoft Mail post office and send, file, and retrieve their mail as easily as someone sitting at their desk in the office. Controlling Those Call Costs One problem which plagues the Road Warrior more than anything – particularly when his only means of communication is the cellular phone – is the high cost of calls necessary to establish an Internet connection. Even if you are lucky enough to have picked an Internet Service Provider (ISP) with an international presence, you can never be sure that there will be a local Point Of Presence (POP) available when you need it – and this can result in some costly long distance or even international calls. Of course, you could create a number of Internet accounts with a range of providers in different countries. This could be even more costly in terms of subscriptions, however, and would result in a nightmare jumble of different configuration files and settings on your laptop, not to mention the headache of managing a number of different e-mail addresses. For corporations with large populations of mobile users the costs involved could soon rate as astronomic, but one way around this is to use the iPass service (available through Internet SmartWare on 0181 574 9545). iPass Corporate Access is a service that enables mobile workers and telecommuters to connect to the Internet and their internal intranets with a local phone call from every major city in the world. This has been achieved by establishing a huge network of co-operating ISP’s located around the globe, together with a clever cross-charging system which ensures that everybody benefits. Once the iPass client has been installed, the user is presented with the iPass Dial Wizard each time he wants to establish an Internet connection. The Dial Wizard presents a simple point-and-click menu of cities and regional locations to choose from, and once the user selects the closest one a local call is made to the appropriate ISP. From then on, the user has a standard Internet connection at his disposal, which could even be used to provide direct access into the corporate intranet on the other side of the world, whilst still only paying for a local call. All that is needed at the central office is the iPass Corporate Access Server software which handles all the necessary authentication and billing. The organisation also needs to purchase a number of iPass "credits", which are used to pay for all iPass calls. When a user logs onto a local iPass access point, the remote ISP recognises that the login attempt is not one of its own subscribers. The iPass software running at the remote ISP's server then encrypts the user name and password and passes it securely to an iPass server, which then forwards it to the authentication server located at the user’s head office. This server returns a yes or no to the remote ISP to allow or disallow the connection, and after receiving authorisation, the remote ISP connects the user and allows complete Internet access. At the end of the session, the remote ISP passes information regarding the length of the session to the iPass server, iPass pays the remote ISP for the time used on its service and then bills the end-user organisation (in iPass credits) with detailed usage records of each transaction. iPass manages all the necessary user authentication and settlement, producing usage statements very similar to a telephone bill. It is important to recognise, however, that although a conversation is established from the remote ISP to the head office iPass server, this is for the purpose of authentication only – once that has been established, the actual Internet connection is still to the local ISP. The network of iPass partners is growing all the time, and this service offers an excellent – and currently unique – way for an organisation to keep the Internet costs of its mobile users to an absolute minimum. We started out by stating that the Road Warrior’s role was difficult, lonely and dangerous. Having eliminated both dangerous and difficult, surely they can put up with being lonely? Well, perhaps even loneliness is a thing of the past, given that Fracom (01252 737119) has recently released its notebook-based videoconferencing system (which includes full-duplex audio and document sharing capabilities). With a notebook-mounted video camera, Nogatech PCMCIA ConferenceCard, and a standard 28,800bps modem the lonely Road Warrior can now while away the wee small hours in intimate video conferences with his or her loved one – unless a game of Doom sounds more appealing! |
Security Testing |
Send mail to webmaster
with questions or
|