Pocket PC Magazine, November '03
Page 12
Some serious challenges await IT departments that wish to implement a Pocket PC VPN solution. Cost, battery life, and network availability are just a few of the main challenges. Until very recently, the only Pocket PC device that was even capable of such a role was the HP iPAQ, because it was the only Pocket PC capable of interfacing with a PC Card modem. With the recent introduction of CompactFlash high-speed wireless modems, the range of hardware available to IT departments is greatly expanded. For this article I tested three of the most popular devices: the HP iPAQ 5400 series, the Dell Axim X5, and the Toshiba e755.
Hardware comparisons
In evaluating Pocket PC devices to make a purchasing decision for the enterprise, the single most important factor is battery life. All new Pocket PC devices have severe limitations in regards to battery life (see table below). This constraint is becoming more livable with advances in power management and extended-life batteries, but despite these improvements, mobile chargers for vehicles and periodic charges throughout the day will be required. Extended-life batteries are a must for effective after-hours support roles. The batteries included on most Pocket PCs are simply unable to provide more than a few hours of use once taken off an external power source. If a device is powered off, real-time alerts, notifications, and phone calls cannot be received, so long standby life is a necessity for effective notification.
* * *
Pocket PC battery life comparison
Dell Axim X5
1xRTT connected
4.5 hrs
802.11B
6.3 hrs
Turned on, no connections
8.2 hrs
Toshiba e755
1xRTT connected
4.2 hrs
802.11B
6.7 hrs
Turned on, no connections
8.1 hrs
HP 5455
1xRTT connected
4.2 hrs
802.11B
5.9 hrs
Turned on, no connections
8.0 hrs
* * *
Cost is also a large challenge. With many Pocket PCs priced over $500 before extended-life batteries, chargers, modem cards, or monthly service charges, the cost will rightly require justification. It is just not practical for some IT departments to equip every member of their staffs with Pocket PCs, and one or two devices can often fill a department's needs. Replacement of cell phones, cost of downtime vs. cost of a Pocket PC deployment, and perhaps even reduction in staff or elimination of night shifts are common and very real examples of how a company will see ROI and real operational cost savings though the use of these devices.
The size and weight of a Pocket PC device is also a consideration, but a minor one. Most IT professionals are accustomed to wearing cell phones, pagers, and other devices. A much larger concern is how to prevent dropping or otherwise damaging mobile devices. Belt clips and vehicle mounts are a good way to maintain functionality while offering protection to mobile devices. From my personal experience, www.iproductsonline.net offers one of the most comprehensive lines of practical and secure holsters and vehicle mounts on the market. I use their iHolster line exclusively and have never suffered a drop or any damage while using their products. I would personally recommend avoiding Velcro flap-type holsters, or attaching belt clips directly to a Pocket PC device. All too often I have seen devices fall out of holsters because of worn Velcro, or clips break or separate when bumped against door frames.
Service providers and connection cards
There are several different modem or connection card options available today, but most fall into two categories: 1xRTT and GPRS. Though the technical differences between these two network types are significant, if you don't plan on connecting to the Internet outside of the U.S., the differences do not really affect their performance. When shopping for connection cards, you need first to determine which providers offer service to your area. If you are in a major city, you will most likely find several providers available to you. While researching providers I quickly discovered that none of the GPRS providers in my area of Dallas offered an unlimited data plan. If you connect your pocket device to the Internet often, you can quickly find you've transferred over 100 MB of data. This is especially true if you perform remote desktop connections often. For this reason, I tested only the Sprint PCS and Verizon Express networks for this article. Both Verizon and Sprint PCS offer unlimited 1xRTT data packages for about $100 a month. In addition, both of these providers will allow conventional calling plans to be attached to the modems to make the Pocket PC a practical replacement for a cell phone.
Sprint PCS offers three different modem cards for use in handheld devices (Fig. 1). They are the Sierra Wireless 550, the CF2031 (CompactFlash), and the Novatel Wireless Merlin C201. All are compatible with Pocket PC 2002 and 2003. The Sierra Wireless 550 card is the only voice- and data-capable connection card offered by Sprint PCS.
Fig. 1 (above): Sprint PCS Connection Cards
Verizon Wireless offers only one connection card for the Pocket PC: the Sierra Wireless Aircard 555 (Fig. 2). This card is identical to the Sprint PCS Aircard 550 except that it has been encoded to work with the Verizon network. Like its Sprint PCS brother, it allows the Pocket PC to double as a cell phone and includes a removable folding antenna.
Fig. 2 (above): Verizon Wireless Aircard 555
VPN overview
True remote wireless administration relies on a few very important elements. First you need a Pocket PC device and a wireless Internet connection, and you need to deploy VPN services on your host network. To deploy VPN services, you must first establish a VPN host server. Most routers, including broadband routers, offer VPN services. Microsoft Windows Server 2003 also offers outstanding VPN services. VPN can be established via IPSec or PPTP protocols. There are over 30 RFCs that relate to VPN: RFCs 2637, 3070, and 2769 most apply to the topics covered in this article. For more technical information on how VPN works visit the wealth of information at www.vpninsider.com. In this example of VPN configuration we will establish a PPTP connection via the integrated Pocket PC 2003 client, and an IPSec connection using Funk Software's AdmitOne client. Both connections will be to a Netopia R series router with VPN support, and Radius authentication to a Windows 2003 Server.
IPSec via Funk Software AdmitOne VPN client
I have found the AdmitOne software by Funk (www.funk.com/ipsec/enterprise/enterprise_ipsec.asp) to be a very stable VPN client. I am especially pleased that the client will function over just about any form of Internet connection. The setup of the client is painless and very user-friendly.
To set up the AdmitOne client, install the software, establish an Internet connection, and log in to the policy store. If it is the first time running the software, enter the user ID and password you would like to use for the store.
To make a new connection, you enter a friendly name and the host IP address, tap the Advanced button on the bottom, and select Automatic IKE/IPSec Configuration.
Then, enter your IP information for the virtual adapter, the network and mask you wish the client to capture (Fig. 3), and tap Finish. At this point you should be able to connect to the VPN server.
Fig. 3 (above): Network capture setup for AdmitOne client
Once a connection has been established you will be able to view and connect to network resources in the same manner that you would if connected directly to the network.
PPTP via Windows Mobile 2003 integrated VPN driver
If you have ever attempted to use the integrated VPN driver to establish a VPN connection in Pocket PC 2002 over a wireless connection, or even over a Bluetooth connection to a cell phone, chances are you were unsuccessful. But Microsoft has greatly improved its Included VPN client in Windows Mobile 2003. In fact the connection management in general is much more robust and eliminates some of the need for third-party connection managers to include VPN clients. The integrated VPN driver now supports both IPSec and PPTP connections. In addition, the integrated driver sup
ports certificate authentication, which is a huge step in securing mobile VPN solutions. In this example, however, we will demonstrate a connection with Windows Mobile 2003's integrated VPN driver using the most common form of VPN authentication, a Radius Server. To configure a PPTP VPN connection in Windows Mobile 2003, do the following:
First open the Connections menu from the Settings pane, tap the Connections tab, and tap Connections.
Next, tap Add New VPN Server Connection. Enter a name for your VPN connection, enter the hostname or IP address of the VPN server, and select your VPN type (Fig. 4).
Fig. 4 (above): Configure the VPN connection
Enter your credentials (Fig. 5). Tap the Advanced button if you need to specify IP address information.
Fig. 5 (above): Enter your credential, and Advanced tab IP address information
To establish a VPN connection, simply start to use an application (such as Pocket Internet Explorer) that will try to connect to the network. Once you are connected you will see the "double arrow" icon next to the clock on the top taskbar (Fig. 8 ).
As with the IPSec connection, you will be able to view and connect to network resources as if you were connected directly to the network locally. You are now ready to connect to distressed servers from anywhere as long as you can establish an Internet connection. You can also sync your e-mail account directly with your e-mail server via MS Exchange Server 2000 with MIS, MS Exchange Server 2003, or with any e-mail server that has POP3 services. You can also sync directly with your workstation on the LAN to remain completely up to date. This will provide notification in near-real time, or you can receive notifications via your modem card's text message system. MS Exchange Server can even send alerts to this system, as can a slew of third-party monitoring and notification software packages such as WhatsUp Gold or NetIQ. This will allow you to remain offline so you can receive phone calls and save battery power, connecting only when required.
With all these systems in place you now have instant access to your network, minimizing the late night runs back to the office, and improving not only the level of support to your organization but the quality of life of your IT staff. Cell phones and pagers provide a method to notify personnel of problems. Wireless-empowered Pocket PCs not only notify IT staff of a problem but, with wireless VPN, offer a secure, instant solution to those problems. I have been able to cut downtime in half, shorten solution times to less than 30 minutes in 90% of my support cases, and shorten response times to less than 10 minutes. I have been able to raise the level of support I provide, even though my physical staff is smaller. In addition I have lowered my overall operating cost. I hope this article helps you do the same.
* * *
PPC cost comparisons
Dell Axim X5
Base Cost
$293.00
Expanded battery
$99.00 (3400 mAh
Expansion Pack
N/A
802.11b interface
$69.00
Bluetooth interface
$69
HP 5455
Base Cost
$649.00
Expanded battery
$99 (1840mAh)
Expansion Pack
$149 (PC card+) $99 (CF+)
802.11b interface
Integrated
Bluetooth interface
Integraded
Toshiba e755
Base Cost
$499.00
Expanded battery
$129.00 (3000 mAh)
Expansion Pack
$99.00 (VGA OUT)
802.11b interface
Integrated
Bluetooth interface
N/A
* * *
Ron Henderson is the President and Founder of GadTek Computer Services Inc. GadTek Computer Services offers wireless-empowered IT outsourcing through the use of proprietary software and Pocket PC devices, offering the same levels of service internal administrators provide, but at a much lower cost. GadTek Computer Services is a full IT service provider to all of the Dallas Metroplex in Texas, and performs affordable nationwide consulting for all IT and Telecom needs, including IP phone deployments.
Pocket PC Security
What can you do to keep your data safe?
by Josh Daymont
Your firm is considering rolling out a new mobile application on Pocket PC-based devices which should save the company millions a year through increased productivity and reduced overhead. Suddenly that new guy at the end of the table speaks up and asks the question: What about the information security issues surrounding these devices?
Corporations rely on mobile handheld computing devices more and more each day. Whether through a departmental Pocket PC-based workflow application or because of just a few employees who use PDAs for increased personal productivity, corporate IT departments will have to support and secure this part of the IT infrastructure sooner rather than later. Support can be accomplished without too much trouble, but what about security? Is that new PDA your director of marketing just bought violating your security policy without you even knowing it? If so, how will the problem be solved? Those are the questions we will be looking into here.
The issues
There are a few areas of the Pocket PC operating system that are of concern from a security perspective:
No concept of user credentials
No way to restrict file access based on permissions
No protection for sensitive areas of the system such as device drivers
Infrared document receives are turned on by defaul t(does not apply to Windows Mobile 2003)
The ActiveSync desktop synchronization system
Other concerns stem from the nature of mobile devices:
The device itself is easy to misplace
A mobile device is at much greater risk of attaching to a hostile network
There are quite a few others, but these the major ones. As can be seen, the level of information security on an out-of-the-box Pocket PC is considerably lower than that on the typical desktop or laptop system. This is in part because when Microsoft was designing the underlying Windows CE operating system, no one had considered the security implications of adding network communications to the PDA, which at the time was still primarily used for stand-alone non-networked applications. Although Microsoft has been working hard to make sure that Pocket PC security features are up to par, and the OS is clearly more secure than the Palm OS, it will be some time before the Pocket PC catches up to the desktop and servers in terms of security features.
So what can you do to protect your company's PDAs? As with any other information security problem, the right solution begins with a good, well thought-out security policy. Policy doesn't just come from the security gurus—it has to be based on input from everyone affected. Whether you are an IT administrator, a mobile device evangelist, a security officer, or otherwise, if you are reading this article then you will likely need to help your company define its PDA security policy at some point. Creating and enforcing a security policy is a lot harder than it looks at first, so unless you or someone you are working with has done it before it is probably best to seek some outside help.
The policies
PDAs and similar systems are used differently from other computing devices and so have some unique policy issues. For example, where and how may a device be connected to the Internet? Will employees be allowed to put their devices online in an international airport's unencrypted 802.11b hotspot? Will salespeople be allowed to accept digital business cards through their infrared port? Will your newest employee be able to browse any Web site that they wish using their device? What kind of additional security software will be installed on the device? Will Bluetooth devices be allowed?
Rather than try to anticipate every potential dangerous use or policy limit, it is usually best to spell out exactly what the device may be used for and then declare that anything outside of the specified acceptable use is disallowed. This of course results
in a lot less work time and effort for a policy that is just as good as or probably better than what would have resulted from a more ad hoc approach.
Some things should almost always be ruled out in a policy because because they are particularly dangerous. Think twice, for instance, before allowing anyone to receive documents over the Infrared port. Because a Pocket PC has no concept of internal security controls, any executable file sent to it has the potential to take complete control of the system. Consider restricting users to visiting only Web sites that are business-related. The Pocket PC's Pocket IE browser can become a security hazard if the wrong kind of Web site is visited. Disallow Bluetooth devices if feasible. Bluetooth authentication is still not very good and frankly, the protocol's internal security should be considered suspect based solely on Bluetooth's level of architectural complexity.
Don't limit policy to the uses for a device, but include the data stored in the device as well. Will sensitive information be kept on the device? Examples might include sales leads, patient histories, user names or passwords, or an employee directory. Sensitive data should be encrypted. L3Solutions provides an effective and affordable Pocket PC encryption solution called LockBox (www.l3solutions.com/L3Prod_L3LBPPC.htm) (see Fig. 1).