Pocket PC 2002's successor provides valuable security enhancements
Last summer, Microsoft released Windows Mobile 2003, the successor to Pocket PC 2002. If you're considering implementing a Windows Mobile powered device as a PDA standard in your enterprise, you'll want to know about the new and updated Windows Mobile 2003 connectivity and email features and some improvements that will enhance the security of your mail system and your enterprise.
The Windows Mobile platform comes standard with Microsoft Pocket Outlook, which provides basic access to Exchange data through five applications that mirror their counterparts in the desktop version of Outlook: Calendar, Contacts, Inbox, Notes, and Tasks. Figure 1, page 6, shows the Pocket Outlook architecture. The design consists of three main parts: applications, data stores, and transports. Windows Mobile 2003 has improved all three areas, but the changes to the transports area are the most important with respect to security.
The transports portion provides the means for moving information to and from the PDA. At first glance, the new version of Pocket Outlook looks much like earlier versions. Out of the box, you still have two basic ways to move data to and from the PDA: through Internet-standard protocols (i.e., IMAP, POP, and SMTP) or through Microsoft ActiveSync synchronization (either through a desktop-mediated connection or over the network using Exchange Server 2003 ActiveSync).
On closer inspection, however, you'll find that Microsoft has updated the code that implements each transport component, adding new features, correcting problems, and improving performance. For example, earlier versions of ActiveSync sometimes don't recognize that the PDA is connected and have trouble reestablishing connections when a PDA goes into power-save mode. ActiveSync 3.7 has better connection and USB support, so using ActiveSync to connect to your PDA is easier. Windows Mobile 2003 also includes the modules that support network-based synchronization through Exchange ActiveSync. In earlier versions, you had to acquire and load those modules separately.
From a security perspective, the biggest enhancement to the Internet protocols is that Windows Mobile 2003 provides Secure Sockets Layer (SSL) support with POP3 and IMAP connections, so data and user credentials are no longer passed as clear text. Additionally, Microsoft optimized the code that implements Windows Mobile 2003's IMAP protocol so that it's more efficient and runs faster.
Figure 2, page 6, illustrates the path that wireless data takes between the PDA and Exchange. Your connection options amount to three choices: POP and SMTP, IMAP and SMTP, or ActiveSync. Regardless of which type of connection you use, data moves from the PDA to the wireless network, over the Internet, then through the firewall. Behind the firewall, ActiveSync connections route to an Exchange server that's running ActiveSync, then to an Exchange mailbox server. Internet-protocol connections proceed from the firewall to a front-end server that provides SMTP and IMAP or POP access to Exchange.
From the Pocket Outlook perspective, each protocol lets you interact with mailbox data differently and provides a slightly different feature set. IMAP and POP are retrieval protocols: They let you get at items that are in your mailbox. POP is an older protocol and doesn't have as many features as IMAP. The primary difference between the two is that IMAP lets you access multiple folders in your account, whereas POP lets you access only the Inbox. SMTP is a transmission protocol that lets you give messages to the server for delivery. These three protocols let you interact only with mail items—they don't let you access your Calendar, Contacts, Notes, or Tasks.
In contrast, network-based ActiveSync lets you access your Calendar and Contacts as well as your email. You still need to use desktop-based ActiveSync to synchronize Notes and Tasks. When you use ActiveSync to send a message, the message remains in Pocket Outlook's Outbox until you initiate a synchronization session. When you use SMTP to send mail, Pocket Outlook connects immediately to the SMTP server. For incoming mail, POP, IMAP, and ActiveSync provide configuration settings that let you define a polling period or interval at which Pocket Outlook will automatically establish a connection to synchronize (ActiveSync) or retrieve mail (POP or IMAP). If you configure an interval for any of these connections and have saved the necessary connection-authentication passwords, Windows Mobile's Connection Manager automatically establishes your Internet connection and VPN tunnel.
Windows Mobile 2003's wireless connectivity features let you establish a wireless connection through various means depending on the type of mobile device you have and its hardware. If your PDA has an integrated cell phone and your calling plan gives you Internet access, you can use the phone to connect to your corporate RAS infrastructure. The device might also have an always-on wireless transceiver that lets you connect directly to a wireless ISP. Another option is to use a wireless NIC to connect to a private 802.11 network.
All of the 802.11 protocols have become so popular that many electronics retailers typically stock more wireless networking components than wired components, and you can easily find 802.11 hot spots (i.e., public places where your 802.11-enabled device can connect to the Internet). For example, you can usually find wireless hot spots in coffee shops such as Starbucks and in most large airports. These hot spots are often fee-based, but sometimes you can connect for free (e.g., at some conventions and conferences).
Windows Mobile 2003's Zero Configuration Wi-Fi feature makes connecting to 802.11 networks easy. If your PDA has a wireless NIC and you come within range of an 802.11 wireless network, Zero Configuration Wi-Fi detects it and configures the PDA to use it (if you give the OK when prompted). Thus, you can easily move among wireless networks and hot spots.
The downside to wireless networks is that any wireless device that's within range of a signal can read and access all the information flowing on the network regardless of its source and destination. Because 802.11 is an Ethernet standard, all wireless devices are always listening, and anyone can use sniffer technology to intercept and read the network's traffic.
A big consideration when you're using a wireless network is the fact that the networking medium isn't contained within a structure that you can secure. Physical barriers can protect wired networks, but wireless radio frequencies penetrate most physical barriers, and anyone who's sufficiently close to the transmitting computer can monitor these frequencies. For many organizations, this security risk is huge, especially for connections that use the 802.11 protocol.
However, you should keep things in perspective—eavesdropping on wired networks is also possible, if a little more difficult. If someone can access an active LAN port, even one that another PC uses, he or she can insert a $5 Ethernet hub and connect. The accessible nature of 802.11 networks shouldn't rule them out as a connectivity option, but you do need to protect the data that your users transmit wirelessly.
The 802.11b standard tries to protect transmissions by using the Wired Equivalent Privacy (WEP) standard to encrypt data. WEP requires a shared security key. When you want to connect to the 802.11b network, you need to have the security key so that the wireless NIC can encrypt your communications. WEP makes wireless networking more secure. However, WEP still leaves you vulnerable because WEP encryption can be broken and shared keys aren't as secure as individual keys. For an in-depth discussion of WEP, see "802.11 Security Shortcomings," http://www.winnetmag.com, InstantDoc ID 22934. Another WEP consideration is that it prevents you from using Zero Configuration Wi-Fi to set up a wireless connection because the information that Zero Configuration Wi-Fi tries to use to connect the PDA to the wireless network doesn't include the security key.
To give users access to Exchange data from a Windows Mobile 2003 device, you first need to select a transport (i.e., IMAP and SMTP, POP and SMTP, or ActiveSync) from Pocket Outlook's options. The choice of transport dictates what type of front-end server you'll need. Then, you need to secure the communications path.
The end-to-end communications path between a PDA and a user's Exchange mailbox typically contains six or seven segments: the PDA, the wireless network, the Internet, the firewall, an optional tunnel server, a front-end server, and an Exchange mailbox server. You can choose from four technologies to secure the communications: WEP, SSL, VPN, and IP Security (IPSec). Figure 3 shows the communications path and the segments of the path that each technology protects.
As you can see, each technology covers only part of the path. You need to assess the level of risk on each segment and decide whether you need to implement a technology to protect the communications on that segment. For example, between the PDA and the firewall (or the PDA and the front-end server, if you aren't using a VPN), the level of risk is fairly high because you have no idea who else is using the wireless network at the same time you are. Between the front-end server and the Exchange mailbox server, the level of risk usually is relatively low because these components are within your corporate network.
After you've assessed your risk, you need to decide how to protect data on the vulnerable segments. SSL is a good choice because it protects more of the communications path than the other technologies. SSL is also a good option if you don't have a tunnel server in place or don't want the administrative burden of securing and operating a tunnel server. Although SSL secures the communications from the application on the PDA to the front-end server, SSL doesn't do anything to authenticate the user who makes the initial connection to the server. The server must still process all connection requests that it receives regardless of who makes them. A better solution is to prevent anyone who hasn't already been identified from reaching the front-end server, and the best way to do that is with a VPN. Think of a VPN as a router to which you must authenticate before it will accept any of your network traffic. By authenticating at the VPN server, you identify who you are even before you communicate with the email infrastructure or any other internal system.
In Pocket PC 2002, Microsoft added the ability to connect to a PPTP VPN server. VPNs let two computers communicate over a public network as if they were connected over a secure private connection. The VPN provides two main functions. First, it lets the remote computer (e.g., the PDA) connect to a private network and appear to other systems on the private network as though it has a private network IP address. Second, a VPN encrypts the data that flows over the public network. VPNs often use symmetric keys between VPN servers and clients. However, compared with WEP, VPNs use a much stronger encryption algorithm and keys that are unique to the user and that change with each connection session. Pocket PC 2002's VPN encryption supports PPTP. Windows Mobile 2003 enhances this VPN capability by also supporting the more secure IPSec and Layer Two Tunneling Protocol (L2TP) standards.
If you plan to use Windows Mobile 2003 devices to connect to your Exchange server, I recommend that you use a VPN connection. (For instructions about how to configure a VPN in Windows Mobile 2003, see the Web sidebar "VPN Step-by-Step" at http://www.winnetmag.com/microsoftexchangeoutlook, InstantDoc ID 41447.) In addition to providing the encryption you need to protect data that travels over public networks, a VPN provides authentication to help protect your systems.
A VPN also simplifies firewall configuration and lets you provide access to almost any corporate data system. Without a VPN, you need to open multiple ports through your firewall for any system that you want to access from the Internet or a wireless connection. For example, if you don't use a VPN and allow access to Exchange data through both Internet protocols and ActiveSync, you need to open port 143 (without SSL) or 993 (with SSL) for the IMAP connection, port 25 for the SMTP connection, and port 80 (without SSL) or 443 (with SSL) for the ActiveSync connection. With a VPN, you need to open only one port, and that port can give users access to the email system as well as any other system on your corporate network.
If you don't have a VPN but still let users connect to Exchange and send email, you need an Internet-accessible SMTP server that lets users relay email. This is a configuration that you don't want just anyone to use, so if you don't have a VPN, you need to deal with the problems and complexity of configuring your SMTP servers to authenticate those users who need to relay their email. Configuring an SMTP server to authenticate isn't difficult, but Windows Mobile 2003 doesn't yet use SSL-encrypted SMTP, so you'll again be sending usernames and passwords as clear text when you authenticate the sender.
Security Plus Flexibility
The task of defining a PDA standard is often driven by one core requirement, such as the ability to use a secure wireless connection to access email. But standardizing on a PDA platform can limit your options when a user has a new or unique request. Windows Mobile 2003's new features and its ability to run more applications make it a flexible, and now more secure, option for secure wireless access to email.