Network Computing is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them. Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

The Wireless Edge: Mobile Computing Policy and De-Perimeterization

On September 20, I chaired a meeting of the Portable Computer and Communications Association on the topic of "Mobile Computing Policy and Network Access Control." The PCCA meets quarterly to address developments in wireless and mobile computing, and meetings have good representation from operators, device vendors, computer vendors and wireless middleware providers. This meeting, hosted by NetMotion Wireless, proved quite illuminating, making me realize that mobile computing is simultaneously maturing and becoming an evermore complex field, with new aspects to consider. Policy management is one aspect. De-perimeterization (not an English word, but used at the meeting and a descriptive nevertheless) is another.

Policy refers to rules on how computers are allowed to behave in different scenarios. For example, Microsoft Windows Vista Group Policy allows IT managers to specify items such as which SSIDs (Service Set Identifiers) a laptop computer can associate with, and whether to prevent a connection if WPA (Wireless Protected Access) isn't available. Mobile computing policy is a capability in products such as NetMotion Wireless' Mobility, where IT managers can centrally specify rules such as what networks a mobile system can connect with and, more interestingly, what applications are allowed access to what network. This way, bandwidth-hogging applications (e.g. music downloads) might only run over Wi-Fi or Ethernet, but not over a 3G connection, which could be especially handy with a usage-based pricing plan.

Since the NetMotion Wireless product sits above the stack, it actually knows which applications are transmitting information and can go one step further and do traffic prioritization within the secure tunnel that the mobile VPN has created between the client software and the mobility server. For instance, the software can give higher priority to VoIP traffic than Web browsing, while giving Web browsing higher priority than Windows Update operations. The result is a form of QoS in networks that currently have no QoS capability, and the results are impressive. A demo showed intelligible voice over a 3G connection with other applications running, compared to completely garbled voice.

What's nice about a well-implemented policy management system is that rules can be created centrally and pushed out to devices. At the meeting, Aventail provided another example of policy in describing its Mobile SSL VPN product, which enforces endpoint control. Here the central SSL VPN gateway can interrogate the device to make sure it has the right constitution before permitting it to access enterprise resources. For example, with Windows Mobile 5 devices, the system can check for specific applications, directory names, file names, Windows registry entries, Windows version and device certificates. You can expect more and more mobile middleware solutions to support policy management, as well as increasing support from within the OS itself.

As for de-perimeterization, Aventail refers to this as an inverted network and promotes this approach with its SSL VPN solution. The concept is simple. In the past, companies designed their networks to have hard perimeters, with little protection once you were inside the network. The concept of an inverted network is to trust no node and to require every point in the network to have authenticated/authorized/encrypted access to enterprise resources. This adds some overhead to the network, but it offers quite a few advantages. It greatly facilitates guest network access, temporary workers using your network and workers connecting to your network by the network connection of the moment, whether 3G, Wi-Fi hotspot, home network or Internet kiosk. In other words, it enables a flexible networking topology sensitive to today's increasingly mobile paradigm.

  • 1