NetMotion Mobility XE Security Overview:
Strong, Flexible Authentication and Security
Mobility XE is built on years of experience with hundreds of real-world, mission-critical mobile computing deployments in enterprise, healthcare and public safety settings. Used alone or in conjunction with third-party VPNs, Mobility XE provides HIPAA-compliant, AES encryption (in a number of strengths) to protect data from attack in both a wired and wireless environment.
Strong, flexible authentication and security
Summary
Mobility's Roamable VPN incorporates a standards-based, secure virtual private network designed for wireless networking that integrates single-sign-on authentication.
Roamable VPN encrypts all data transmitted between the Mobility client and server using AES, which is available in 128-bit, 192-bit, and 256-bit strengths (IT managers can also choose 56-bit or 112-bit DES, though not on a Windows Mobile device). The key exchange occurs via Diffie-Hellman.
Mobility supports native authentication including RADIUS, Microsoft Windows NT domains, NTLMv2, Microsoft Active Directory, Kerberos, PKI, and workgroup-level authentication.
Roamable VPN allows IT managers to protect data on any network type (including public networks not controlled by the IT manager).
When used in conjunction with third-party VPNs, such as Nortel or Cisco, Mobility XE improves performance of these VPNs (as measured in data throughput) by up to 300 percent. Performance test results are available by request.
Mobility server acts as a firewall between the enterprise LAN and available wireless networks.
Mobility protects against lost or stolen devices with its quarantine and abort functionality.
Detailed review
Single sign-on authentication
Support for multiple types of authentication
Mobility supports native authentication with RADIUS, NT domains, Active Directory, Kerberos, PKI, and workgroup-level authentication without extra configuration or setup.
RADIUS support
NetMotion Mobility XE supports RADIUS authentication, which allows organizations implementing wireless networks to leverage an existing RADIUS database to centrally manage remote users.
Supporting RADIUS makes NetMotion Mobility XE ideally suited for deployment in large enterprises because it leverages their existing user directory.
Supported features include EAP-MD5 and LEAP authentication, failover to alternate RADIUS servers if the primary server is unreachable or unavailable, user filtering so that only a subset of RADIUS users is given permission to use the Mobility network, and packet signing for security against man-in-the-middle attacks.
Highly optimized cryptographic key computation
Using highly optimized computation methods, standard laptops can compute the cryptographic key in under 20 milliseconds (very fast!).
Even older PDAs with low power can perform the same computation in sub-second times without compromising the cryptographic key strength.
Four levels of encryption to fit any need
Choose from AES (in 128-bit, 192-bit, or 256-bit strength), and (for non-Windows Mobile devices) 3DES (112-bit) or DES (56-bit). The default is 128-bit AES.
NTLM v2 support for Windows devices
NetMotion Mobility XE authenticates devices running the Windows Mobile operating system using NTLMv2 authentication. (Version 6.01 and earlier of the Mobility client is available for Windows 98, which supports only the weaker NTLMv1 authentication.)
By providing NTLMv2 authentication and signing for all clients running Mobility, enterprises can be assured the highest level of secure connectivity for their wireless users regardless of the operating system.
Encryption can be set globally, for device classes, or for individual users or devices
Supports common remote access protocols
In addition to our own security protocols, you can use common VPN protocols like PPTP, L2TP/IPSec, and IPSec.
Patent-pending Roamable VPN™
NetMotion Mobility XE supports IPSec on the Windows 2000 and Windows XP platforms to secure traffic between the Mobility client and server.
Our Roamable VPN technology allows WLAN or WWAN users to seamlessly roam while maintaining an authenticated, secure connection.
Single sign-on compatibility with Cisco LEAP
When the Windows and LEAP logon credentials are identical, NetMotion Mobility XE provides single logon access to wireless networks running Cisco's LEAP. This allows NetMotion Mobility XE to integrate seamlessly into enterprises where LEAP is deployed adding optimized roamable security and encryption to LEAP's access point authentication security.
Support for popular VPNs
When deployed in conjunction with many third-party VPNs, Mobility XE dramatically improves performance of those VPNs by as much as 300 percent. NetMotion Wireless has tested and documented such performance improvements with the following third-party VPNs:
- Nortel Contivity VPN
- Cisco VPN
- Microsoft PPTP, L2TP and IPSec
Dynamic user-session re-keying
For added security, the session keys generated for each client connection at logon are automatically regenerated.
The re-keying interval is set on a global basis in the Configuration Manager on the Mobility Server on the Data Protection tab. By default, user sessions are re-keyed every five hours but can be set to be re-keyed as frequently as every 30 minutes.
Solves possible downgrade attacks
Because the security level is mandated from the Mobility server, the security level is not negotiated. The server sends a data-security specification to each client based on the configured setting (DES, 3DES, or AES).
Solves possible man-in-the-middle attacks
Quarantine a user or device
Disconnecting user's connection
Reconnecting a user's connection
