SafeNet this week introduced a VPN application for Windows-based smartphones based on the IETF’s Mobike protocol.
Mobike lets the IP address in an active VPN tunnel change, a critical requirement for mobile clients, compared to the original Internet Key Exchange (IKE) standard and IPSec, which assumed VPNs ran between static locations.
SafeNet’s SoftRemote Mobile application lets mobile users forge an encrypted tunnel to the enterprise over any network.
The SoftRemote Mobile client software is initially for Windows Mobile 5 devices. It can be used to secure wireless VoIP as well as wireless data connections, according to Bill Anderson, vice president of encryption products for the Bellcamp, Md., vendor.
When mobile clients move, their IP address and associated security and authentication settings can change, and the session can break. The Mobike specification defines how a handset and server deal with this handover, maintaining the voice or data sessions and the client’s security settings, Anderson says.
Technically, Mobike is a set of extensions to the IKE version 2 protocol, so it can be used where there are multiple IP addresses on a host (called multi-homing) or in mobility and roaming, where the IP addresses change under the control of an IPsec host. The main goals are to let a VPN user move from one address to another without having to re-establish security associations, and to make use of multiple network interfaces at the same time, such as for WLANs and GPRS.
One emerging area where these technical requirements meet practical reality is securing wireless VoIP calls. A handset with SoftRemote Mobile can create a secure link to the enterprise and then place a VoIP call to a Cisco IP PBX, for example. SafeNet is also selling SoftRemote Mobile to carriers, who can then terminate the VPN in their nets, and then link end users to hosted applications or Internet sites.
The mobile application is based in part on SafeNet’s original SoftRemote product, which is widely deployed globally, often relabeled with a different brand. Among the firsts claimed by the company are the first VPN product, in 1988, and the first IPSec client nine years later.
Like all VPN applications, SoftRemote Mobile has a small client application that has to be downloaded and installed on the handset. Anderson says this can be done using existing enterprise tools, such as a third-party software distribution application, or Microsoft Active Sync. Users can even load it themselves; and device makers can load the client code as part of the manufacturing process.
There are two versions of the software, one for tech-savvy users who can act in effect as their own net security administrator. The second is a centralized version, used by net administrators to set up and configure enterprise security policies for the handhelds, and then lock these settings so users can’t change them.
To block hackers, SoftRemote Mobile can work at the chip level: Texas Instruments licenses the code for its OMAP mobile RF chipsets. Here, SafeNet’s hardware runs in a protected boundary within the chipset, with a block of memory that can’t be accessed from elsewhere on the device. Alternatively, a handset maker can embed it in ReadOnlyMemory, where SoftRemote runs integrity checks to validate that the code hasn’t been changed.
Anderson says there are no major suppliers of smartphone VPNs. Several start-ups, including Bluefire Security, do have products.
Anderson concedes that SSL VPNs, which are lightweight, easy-to-use applications, are a viable alternative to traditional VPNs, and SafeNet offers such products. “But they’re not good for everything,” he says. “For example, you can’t use an SSL VPN for a point -to-point connection [between two VoIP handsets for example]: it’s client-server.” VPNs also give network administrators more fine-grained control over the clients and over what they can do on the encrypted link.
SoftRemote Mobile is available now; UK-based cellular carrier O2 is already using the software as the basis of a managed service it offers to enterprise customers. Pricing varies depending on how it’s being deployed. A typical enterprise deployment would be “in the US$20 per seat range,” according to Anderson.