Wireless links get the squeeze

Still in their infancy, solutions for securing wireless transmissions between agency networks and portable handheld computers cannot be accomplished today with only one product. Full security requires a combination of software on the network and on the device — and more importantly, a policy that makes good use of it all.

The limited storage space and processing power of handheld computers have hampered the development of sophisticated security solutions on handheld devices. Federal security policies, or the lack of them in regard to wireless devices, have also been stumbling blocks. "There are a lot of Defense Department security policies that don't fit handhelds today, but they will down the road," said Robert Collier, chief of enterprise technology for the Army Medical Department, which is part of the Medical Command (MedCom) in San Antonio. Collier, also a consultant with GTSI Corp., is evaluating ways to secure wireless networks as part of the Army Desktop and Microcomputer Contract.

MedCom's medical staff uses Hewlett-Packard Co. iPaq PocketPCs for scheduling and contact management and for monitoring the status of tasks. Like many others in the growing group of government employees who use agency-issued handheld computers, MedCom employees don't use their portable computers wirelessly.

"We lose mobility because we can't deploy wireless until we find a way to secure it," Collier said.

Most security solutions for wireless handheld devices reside on the network, not the handheld computer. For example, Cranite Systems Inc.'s network-oriented software works in part by allowing handheld devices coming through a wireless connection to link only to certain segments of the enterprise network.

Many wireless security solutions use a type of virtual private network (VPN), that encrypts data as it flows between two points. In this case, it connects the wired network and the handheld device. Because VPNs originated in the fixed infrastructure of the wired world, they had to be adapted for use in the wireless environment.

In Cranite's case, adaptation has meant establishing the VPN at a different network layer than the ones that wired VPNs typically use, said Max Mancini, Cranite's vice president of engineering. In part, this approach allows the VPN to better handle the problems related to wireless networks, such as the communication interruptions that can occur when users pass from one wireless access point to another.

On the device side, products from companies such as Credant Technologies and Bluefire Security Technologies encrypt data while it is stored on the handheld computer and lock access to the system by using password-based security in case the device is lost or stolen.

As compression technology has improved, vendors have begun offering more security options. "We have developed a proprietary compression technology that allows us to put security on a small platform on the device that takes up only 600K of space," said Tom Goodman, Bluefire's vice president of business development and operations.

For many government information technology shops, such as the one at MedCom, any security solution must conform to DOD security directives. For example, the directives require nonrepudiated network authentication from the device to the network and Federal Information Processing Standard 140-1 or 140-2 accreditation with standard encryption technology.

In a pilot program testing wireless technologies that comply with DOD guidelines, Collier is evaluating Cranite's FIPS 140-2-certified, network-based security solution and Credant Technologies' Mobile Guardian product.

The need to use at least two products to achieve wireless security can burden users with multiple passwords. To make security easy for MedCom users, Cranite and Credant partnered to create a common application program interface.

"We both implemented the one API we agreed on into our products so the user wouldn't have to use two passwords," said Bob Heard, Credant's chief executive officer.

Although DOD officials have issued guidelines for securing wireless handheld devices, they have not issued a wireless security policy yet. While awaiting the final policy, MedCom officials plans to maximize the value of their handhelds by creating new applications, such as medical databases, that can operate off-line.

Bluefire is another example of the kind of security management products that are starting to emerge. The company's Bluefire Mobile Firewall Plus provides a firewall for handheld computers, an integrity monitor that protects the portable system's file and registry settings, a security manager to enforce security policy and an intrusion-detection system.

Recently, the Air Force Research Lab in Rome, N.Y., has begun to evaluate Bluefire's technology for use with a VPN for securing wireless data transmissions between handhelds and a wired network.

Bluefire has "a very small footprint for a resource-constrained device," said Andrew Karam, the lab's program manager. This type of device-based security is only the beginning, according to security experts.

Gerber is a freelance writer based in Kingston, N.Y.