Guidance for securely using SSL VPNs, mobile devices

The National Institute of Standards and Technology has released a guide to virtual private networks that use Secure Sockets Layer technology, comparing and contrasting them with IPSec and other VPN solutions.

Special Publication 800-113, 'Guide to SSL VPNs,' includes recommendations for designing, implementing, configuring, securing, monitoring and maintaining VPNs.

NIST also released for comment a draft version of SP 800-124, 'Guidelines on Cell Phone and PDA Security.' It is an overview of common cell phone and personal digital assistant devices to help administrators make informed information technology security decisions about their use.

VPNs that secure connections for remote users via Web browsers and SSL encryption are popular because they are easy to use. The SSL protocol is included in all standard Web browsers, so the client usually does not require reconfiguration and users can access the VPN from a wide range of computers. Portal VPNs enable users to access resources via a Web site. Tunnel VPNs allow users to access applications and protocols that are not Web-based but require the browser to handle active content.

'Despite the popularity of SSL VPNs, they are not intended to replace Internet Protocol Security VPNs,' the NIST guide states. 'The two VPN technologies are complementary and address separate network architectures and business needs.'

Requirements and recommendations for deploying an SSL VPN include:
  • Configuring it to allow only cryptographic algorithms and modules that comply with Federal Information Processing Standard 140-2.
  • Evaluating several products against clearly defined requirements.
  • Using a phased approach to planning and implementation.
  • Recognizing the limitations of the technology.
  • Implementing other measures to support and complement the VPN.

'Guidelines on Cell Phone and PDA Security' provides an overview of security considerations for a class of personal, mobile technology that is becoming increasingly powerful and important in the workplace. Small devices now include much of the functionality of desktop computers and mobile communication features such as Wi-Fi, Bluetooth, multiple forms of cellular service and Global Positioning System receivers.

The devices can be easy to lose and subject to malicious code, spam, eavesdropping, tracking and spoofing.

'To date, incidents from malware and other identified dangers that have occurred against handheld devices have been limited when compared with those against desktop and networked computers,' the guide states. 'One factor is that no single operating system dominates handheld devices to the same extent, fragmenting the number of potential homogeneous targets.'

But to avoid problems, NIST recommends that organizations:
  • Plan for and deploy appropriate security controls for cell phones, PDAs and other handheld devices.
  • Ensure that devices are deployed, configured and managed to meet business objectives and security requirements.
  • Manage and maintain the security of devices throughout their life cycle.

Comments on 'Guidelines on Cell Phone and PDA Security' should be e-mailed by Aug. 8 to 800-124comments@nist.gov with 'Comments SP 800-124' in the subject line.

About the Author

William Jackson is a Maryland-based freelance writer.

Stay Connected

Sign up for our newsletter.

I agree to this site's Privacy Policy.