Transmitting data insecurely over wireless connections presents a security risk. If you use your Personal Digital Assistant (PDA) or smartphone to transfer sensitive information or files, you really ought to be using a VPN to ensure that the confidentiality and integrity of your data transfer is not exploited. In this article, part IV of our series on security, Laura Taylor helps you understand how to select a VPN for your handheld.

Handheld Use Vulnerable Wireless Networks
Handhelds use wireless networks that are particularly susceptible to snooping and exploits. Wireless networks are inherently insecure primarily because when they are initially set up, few security safeguards are put into place. Without these safeguards, just about anyone can join the wireless network whether they are the intended users or not.

With a wired network, the only way someone else can connect to your network is by physically connecting a device to your wire, or by hacking the authentication and logging in to an account or service on your network. With a wireless network, anyone who can pick up the signal can join it if you do not take precautions. In fact, it is so easy to join a wireless network that some users may end up connecting to your wireless network unknowingly and completely by accident.

You should be concerned about basically two types of wireless networks: access point networks and peer-to-peer networks. Access point wireless networks are the kind that you setup at home and are available at your local airport and coffee bar. With an access point network, you join the wireless network by authentication through a wireless access point—a box with an antennae that transmits an 802.11 wireless signal to the surrounding area.

With a peer-to-peer network, two wireless clients connect directly to each other without using an access point. The 802.11 wireless standard refers to peer-to-peer wireless networks as ad-hoc networks. (There are different types of 802.11 wireless networks, but that discussion is beyond the scope of this article.)

If you're transmitting proprietary, confidential, or sensitive information using your PDA, you really should be doing it via a VPN. VPN stands for virtual private network, and transmitting data using a VPN means that you're transmitting your data over a secure encrypted channel.

If you transmit your data using a VPN, a hacker cannot access your data by using a wireless sniffer such as NetStumbler. Without a VPN, you lose the ability to keep your data confidential, and you also open it up to the possibility that a hacker could modify it in mid-transmit and re-transmit modified data.

Some VPNs come bundled with strong authentication, and others don't. Strong authentication means that the user authentication process itself is more robust and more secure than an ordinary clear-text password challenge-response application.

If you use a VPN that does not come bundled with strong authentication, you'll want to deploy a strong authentication system in tandem with your PDA VPN. It makes little sense to transmit all your data securely if your password transmits the Internet in the clear leaving the potential for a wily hacker to hi-jack your VPN client account.

VPN Products
In theory, any VPN client that works on a wired network can work on a wireless network. However, what's important to know is that the VPN client has to interoperate with your PDA operating system. So when you shop for a VPN client for your PDA, you need to find out if the VPN software can run on your PDA operating system.

Many "road warriors" often use VPN clients on their laptop to connect back to the home office over a cellular wireless network. Because your laptop runs a standard desktop operating system, it can use a standard VPN client.

There doesn't have to be anything inherent in the VPN software to accommodate a wireless network. However, your PDA or smartphone uses a handheld operating system. Therefore you cannot use the same client software your laptop is using on your handheld If you the Palm OS on your PDA, the first question you should ask when shopping for a VPN client is, "Will this VPN client run on Palm platform?" The same goes for other mobile platforms, such as Windows Mobile and Symbian.

Table 1. PDA VPN Products

Vendor	Product Name	URL
Aventail	OnDemand	www.aventail.com
Certicom	Security Builder IPSec & SSL	www.certicom.com
Check Point	VPN-1 SecureClient	www.checkpoint.com
Cisco	VPN 3000	www.cisco.com
Columbitech	Columbitech WVPN	www.columbitech.com
Entrust	Entelligence	www.entrust.com
Epiphan Consulting	VPN	www.epiphan.com
Funk	Odyssey Client	www.funk.com
Mergic	Mergic VPN	www.mergic.com
NetMotion	Mobility XE	www.netmotionwireless.com
SafeNet	SoftRemote PDA	www.safenet-inc.com
Symbol Technologies	AirBEAM Safe	www.symbol.com
V-ONE	SmartPass Client	www.v-one.com

A variety of handheld VPN vendors are noted in Table 1. Leading PDA VPNs are either based on IPSec or SSL. While I won't be going into comparing IPSec VPNs against SSL VPNs for this article, it is worth understanding that mobile VPN clients often only support one or the other. You should o inquire whether the mobile client you are thinking of procuring offers SSL VPNs, IPSec VPNs, or both.

Keep in mind that when you use a handheld VPN client for a site-to-site VPN, you need a VPN gateway at the remote end. Your handheld VPN client must work together with the VPN gateway to let you in the remote network.

In some cases, you can purchase a mobile VPN client that works with your existing infrastructure. In other cases, you may need to buy an entire VPN gateway for the handheld clients to authenticate to and login to. To keep the cost down, first see if you can find a mobile VPN client that works with your existing infrastructure.

Selecting Your Wireless VPN Criteria
In choosing a wireless VPN, there are a number of criteria you'll want to consider and research. Here are some questions you should ask yourself the vendor in regards to each VPN client you consider:

· Which PDA platforms are supported?
· Is it an IPSec VPN, SSL VPN, or both?
· Are external directory servers such as LDAP, Active Directory, and RADIUS supported?
·Can the VPN client connect into your existing VPN gateway?
·Will you need to purchase, install, and configure a new VPN gateway?
·Does the PDA VPN vendor have a track record of innovation?
·Will your PDA VPN client and gateway be easy to administer?
·Do you need a "clientless" solution that works through a browser?
·If you use a client based solution how will you install it on all the enterprise PDAs?
·Does your PDA VPN have to be FIPS compliant?
·What security policies does your PDA have to adhere to for remote transmissions?
·Does your security policy require you to use a particular cryptographic key length?
·Will your PDA VPN require security Certification and Accreditation?
·Is the PDA VPN you are considering vulnerable to any well-known attacks?

VPN Upshot
All types of vertical markets are requiring mobility for their end-users. Whether your organization is in healthcare, technology, education, aerospace, automotive, national security or what have you, handhelds have become a way of life.

If you're going to use them for data transmissions, you should do it securely. Even if the data you are transmitting is not sensitive, you could be exposing your organization to a security exploit simply by sending data through an unsecured link. If you are sending or connecting to an organization that deals with national security, financial matters, or sensitive personal information such as social security numbers, credit card numbers, or medical records, you need to use a VPN with your PDA or you shouldn't be transmitting anything at all. If you ask the right questions when shopping for a solution, you'll find just the right VPN to meet your needs.