Connecting the remote end user: finding the right–and safe–solution

Many IT executives have watched the proliferation of new Internet connectivity options with understandable caution. The Wild West world of supported and unsupported Wi-Fi hot spots in hotels, coffee shops, airports, and even homes presents attractive options for remote PC users looking to get online, but it also creates real security and system support concerns. As is often the case, the IT leader’s challenge is to determine when to incorporate and support new technologies and services and what represents a deployable configuration that blends new capabilities with security and supportability.

Most companies today support only dialup connectivity for their remote users, but end users are becoming more and more attracted to the increased productivity promised by the “easy and pervasive” access of Wi-Fi hot spots and other connection methods. While at this point, perhaps only the usual suspects — the early-adopter technophiles — use the various Wi-Fi services or plug into wired Ethernet jacks in hotels, offices, and homes, more mainstream users are being enticed to try these connection methods, creating broader concerns about remote system stability along with data and network security.

This Executive Update explores some of the relevant issues concerning today’s commonly available connectivity solutions for remote PC users — dialup access, wired Ethernet connections, Wi-Fi, and cellular data networks — and proposes a hybrid solution that may provide the right blend of more pervasive access, increased productivity, and supportability for you and your remote users. We’ll consider each technology/service across the following areas:

Distribution of connection points. The overall distribution of the access points in urban or suburban areas for the given service. In rural settings, only dialup service is likely to be widely available.

Convenience. The ease with which an end user can successfully connect to a service.

Supportability. The likely impact of this service on the stability and functionality of a remote user’s system and the resulting impact on the support organization.

Bandwidth. The data rate (or range of rates) available with the service.

Security. The high-level security issues for the service. A thoughtful risk assessment should be completed, and a network and data security policy should be developed and in place before any remote access connection method is authorized.

Dialup via plain old telephone service (POTS)

Summary. Dialup is almost everywhere, usually easy and stable to configure and support, albeit at comparatively low data rates.

Distribution of connection points. The POTS network has an extremely broad global distribution of connection points (i.e., phone jacks).

Convenience. Using the dialup network from modern portable computers is generally simple once a suitable phone port has been located and the system connected. Most national or global ISPs provide “connection managers” that facilitate finding the best dialup phone number and connecting from a given location.

Supportability. Once a connection manager has been set up, most dialup networking seldom requires changes to system or network configurations, and many providers offer level 1 support for your end users as part of their service.

Bandwidth. Dialup connections are not fast by today’s standards; they’re commonly in the 20-kbps-to-48-kbps range.

Security. Unauthorized access to the network data between the remote system and network aggregation point is difficult due to the physical and logical topology of the circuit-switched POTS network. Most dialup services leave the remote system open as an IP-addressable Internet node, generally without a firewall.

A dialup variant worth noting that adds a significant degree of security is to have remote systems dial directly to a modem bank at the corporate firewall, bypassing the Internet. Connections made directly to the company network can have a security profile similar to what exists on the corporate network (assuming proper configuration and physical security of the remote system).

Wired Ethernet

Summary. High-speed wired Ethernet connections are available in limited remote locations such as hotels and offices. Their availability is not likely to grow substantially, and while it’s often quick and easy for an end user to set up a wired Ethernet connection, it also can be troublesome and can create security and support issues.

Distribution of connection points. Availability of connection points is hit or miss, with most access in a limited set of hotels, offices, conference centers, and broadband-enabled homes with hubs or routers. Given the increasing distribution of Wi-Fi and other wireless services, it’s unlikely that the number of access points will grow.

Convenience. When the network behind the port is configured for “automatic network configuration” via DHCP, most modern portable computers will “just work” when connected, although occasionally only after a reboot. If the network does not use automatic network connection via DHCP, connecting a system may be difficult.

Supportability. If the network behind the port uses DHCP, and if your remote systems are reasonably modern, supporting wired Ethernet connections is usually fairly trouble-free. When remote networks require manual configuration, or a unique connection manager or a proxy server must be configured to enable access, support may become an issue. Occasionally, end users or third-party technical support personnel will modify important system and networking parameters, creating future system configuration problems and security issues.

Bandwidth. In general, the LAN speed will be between 10 and 100 Mbps, and the Internet network connection speed will frequently be 1 Mbps or greater.

Security. It’s not possible to determine a “normal” security profile for a wired Ethernet connection because, to a large degree, the network topology determines the ease with which data can be captured and a system probed or attacked. Some situations are by their nature more secure (as, for example, when the Ethernet port is on a switched network behind a trusted corporate firewall versus when the port is on a “shared wire” hub network and connected directly to the Internet without a network firewall). Support for wired Ethernet will likely require the assumption that the system will be on an “open” network and exposed as an unprotected node on the Internet.

WI-FI (802.11B AND 802.11G) hot spots

Summary. Commanding a large share of today’s buzz, Wi-Fi is perhaps the technology that will most generate end-user enthusiasm for more pervasive online access. But with occasionally complicated connection requirements, different security models, and a mix of free and for-fee services, it may be the most frustrating for end users as well as a difficult and expensive technology to support.

Distribution of connection points. Wi-Fi access points seem to be sprouting everywhere, some as fee-based services offered by companies in hotels, stores, restaurants and airports; others offered deliberately as free network connection points; and many unknowingly left open to the world when Wi-Fi is installed as part of a home or business network.

Convenience. Wi-Fi hot spots create a heterogeneous set of services that overlap at times, utilizing a variety of s