PDA and wireless security hot topic at RSA

SAN FRANCISCO – Companies offering products to secure content stored on wireless devices were out in force at this year’s RSA Conference in San Francisco, underscoring the increased urgency with which companies are addressing the security threats posed by mobile workers.

Security technology for mobile devices ran the gamut from hardware appliances that lock down wireless networks to secure PINs and VPN software targeted at cellular phones and handheld PDAs.

These are among the products on display at the conference, which runs through Thursday at the Moscone Center:

— Pointesec Mobile Technologies announced Pointsec for Pocket PC 2.0, a software application that encrypts data stored on Microsoft’s Pocket PC 2002 PDA.

Pointsec for Pocket PC 2.0 can encrypt data stored on the PDA device, including files used by Microsoft’s Outlook or Pocket Word applications. The software can also protect PDA data stored in removable media such as microdrives, multimedia cards, and secure digital cards, according to Pointsec, which is part of Protect Data of Stockholm.

— Aventail of Seattle displayed a new version of its OnDemand VPN agent for the PocketPC platform. Customers using Aventail’s Anywhere Secure Access Policy (ASAP) platform will be able to use the company’s Secure Sockets Layer VPN technology to authenticate and encrypt communications sent from applications running on a PocketPC, including Microsoft’s Pocket Outlook e-mail software, Aventail said.

— Renesas Technology America offered a different option for securing data on mobile devices. The San Jose company’s PIN Secure MultiMediaCard is a standard seven-pin MMC card outfitted with Public Key Infrastructure encryption and digital rights management, as well as a tamper-resistant module for data storage.

The SecureMMC card can be used to secure file-level data on PDAs and cellular phones that accept the MMC cards. Files are stored on the PDA in encrypted form. License keys and a PIN to access those keys are stored in the SecureMMC card’s tamper-resistant module, Renesas said.

— On the wireless LAN front, Funk Software demonstrated its Odyssey Server v1.1 and Steel-Belted Radius v4.0 servers. The latest versions of those products from Cambridge, Mass.-based Funk now feature WLAN security management and integration features.

Odyssey v1.1 is intended for smaller offices or autonomous wireless networks within larger organizations. The latest version of the product adds the ability to authenticate WLAN users against a non-Windows authentication database, such as one based on SQL/LDAP (Lightweight Directory Access Protocol), or a token authentication system such as RSA Security’s ACE Server.

The Odyssey v1.1 server costs $2,500, a price that includes Odyssey Server and 25 Odyssey Client licenses.

Steel-Belted Radius v4.0 is for enterprises that use non-Windows authentication schemes or that need user management and support for remote access. Version 4.0 adds support for two protocols that enable the product to authenticate wireless LAN users against existing authentication databases and communicate within wireless networks that have deployed a PKI infrastructure.

Steel-Belted Radius for enterprises costs $4,000. The Steel-Belted Radius/Global Enterprise Edition, for organizations with larger and more complex networks, costs $10,000.

— Taking an appliance approach to WLAN security, Fortress Technologies displayed its AirFortress hardware products for securing wireless networks. The Oldsmar, Fla., company makes two security gateways for wireless networks: the AF1100, for remote offices, and the enterprise-class AF6500.

When coupled with a software client, both products can secure communications between a company’s wired LAN and mobile devices such as PDAs and laptops connected to wireless access points.

The AirFortress gateways act as a bridge, decrypting and passing on wireless communications from devices connected to the wireless LAN to resources on the wired LAN. Both devices support wireless LANs using the 802.11 and 802.16 standards and are Federal Information Processing Standards certified, Fortress said.

Interest in wireless security products is being driven by increased attention to domestic security within government, as well as a host of regulatory changes that affect companies in financial services and health-care where use of such devices is common, said Ken Evans, vice president of marketing at Fortress.

The federal government accounts for a good deal of Fortress’s customers, he said.

In the private sector, the federal Health Information Portability and Accountability Act (HIPAA) of 1996 and the Sarbanes-Oxley Act of 2002, which affects corporate governance and financial disclosure, are forcing companies to look for ways to better encrypt and protect the data that is stored on and passed from PDAs and wireless devices, Evans said.

“You can’t stop wireless even if you think you can,” said Pete Lindstrom, research director at Spire Security in Malvern, Pa.

For example, inexpensive hardware and demand within organizations has made the spread of WLANs within the corporate environment similar to the adoption of file server technology on networks in the 1980s, Lindstrom said.

Rogue wireless access points that provide attackers points of entry to corporate LANs behind firewalls are a chief concern among IT administrators, Lindstrom said.

In time, the increased use of portable devices and WLAN technology will make such devices just another part of a company’s IT security profile, rather than a special case, Lindstrom said.

“Wireless is going to go away as a specific concern and become integrated into the computing environment,” Lindstrom said.

Despite the relative newness of mobile and wireless technology within the corporate sphere, IT administrators should apply the same techniques that help secure wired devices to portable and wireless technology, including encryption to protect data and threat monitoring to spot attacks, Lindstrom said.