The Wireless Edge: Mobile Computing Policy and De-Perimeterization

On September 20, I chaired a meeting of the Portable Computer and Communications Association on the topic of "Mobile Computing Policy and Network Access Control." The PCCA meets quarterly to address developments in wireless and mobile computing, and meetings have good representation from operators, device vendors, computer vendors and wireless middleware providers. This meeting, hosted by NetMotion Wireless, proved quite illuminating, making me realize that mobile computing is simultaneously maturing and becoming an evermore complex field, with new aspects to consider. Policy management is one aspect. De-perimeterization (not an English word, but used at the meeting and a descriptive nevertheless) is another.

Policy refers to rules on how computers are allowed to behave in different scenarios. For example, Microsoft Windows Vista Group Policy allows IT managers to specify items such as which SSIDs (Service Set Identifiers) a laptop computer can associate with, and whether to prevent a connection if WPA (Wireless Protected Access) isn't available. Mobile computing policy is a capability in products such as NetMotion Wireless' Mobility, where IT managers can centrally specify rules such as what networks a mobile system can connect with and, more interestingly, what applications are allowed access to what network. This way, bandwidth-hogging applications (e.g. music downloads) might only run over Wi-Fi or Ethernet, but not over a 3G connection, which could be especially handy with a usage-based pricing plan.

Since the NetMotion Wireless product sits above the stack, it actually knows which applications are transmitting information and can go one step further and do traffic prioritization within the secure tunnel that the mobile VPN has created between the client software and the mobility server. For instance, the software can give higher priority to VoIP traffic than Web browsing, while giving Web browsing higher priority than Windows Update operations. The result is a form of QoS in networks that currently have no QoS capability, and the results are impressive. A demo showed intelligible voice over a 3G connection with other applications running, compared to completely garbled voice.

What's nice about a well-implemented policy management system is that rules can be created centrally and pushed out to devices. At the meeting, Aventail provided another example of policy in describing its Mobile SSL VPN product, which enforces endpoint control. Here the central SSL VPN gateway can interrogate the device to make sure it has the right constitution before permitting it to access enterprise resources. For example, with Windows Mobile 5 devices, the system can check for specific applications, directory names, file names, Windows registry entries, Windows version and device certificates. You can expect more and more mobile middleware solutions to support policy management, as well as increasing support from within the OS itself.

As for de-perimeterization, Aventail refers to this as an inverted network and promotes this approach with its SSL VPN solution. The concept is simple. In the past, companies designed their networks to have hard perimeters, with little protection once you were inside the network. The concept of an inverted network is to trust no node and to require every point in the network to have authenticated/authorized/encrypted access to enterprise resources. This adds some overhead to the network, but it offers quite a few advantages. It greatly facilitates guest network access, temporary workers using your network and workers connecting to your network by the network connection of the moment, whether 3G, Wi-Fi hotspot, home network or Internet kiosk. In other words, it enables a flexible networking topology sensitive to today's increasingly mobile paradigm. At the same meeting, Boeing described its implementation of an inverted mobile network architecture based on the Open Group Secure Mobile Architecture design. The core networking protocol used within SMA is Host Identity Protocol, a variant of IPSec that addresses mobility by relying on names rather than IP addresses to identify endpoints. This enables roaming across subnets and is an elegant alternative to using the Mobile IP protocol. HIP is currently an IETF draft RFC. The Boeing mobile architecture also implements policy in the form of location. Mobilized equipment connected over Wi-Fi can only communicate when it's in an authorized location. I found the Boeing mobile network architecture quite impressive, and it's no surprise given Boeing's active involvement in key underlying standards and wireless technology evaluation. My first discussions with its wireless architects date back to 1993.

Policy and de-perimeterization are just two instances illustrating how mobile and wireless technology implementation is much more than just a discussion of wireless links. It's easy to get fixated on the wireless link, as wireless technology is so sophisticated and so interesting. But ultimately, that wireless link just replaces a wire, and a complete, managed and secure system for mobile workers requires many ancillary components.

Peter Rysavy is the president of Rysavy Research (http://www.rysavy.com/), a consulting firm that specializes in wireless technology assessment and integration.