IMAP and POP are
Internet RFC 1939 ( http://www.ietf.org/rfc/rfc1939.txt ) defines POP3, and RFC 2060 ( http://www.ietf.org/rfc/rfc2060.txt ) defines the IMAP4rev1 protocol.
Mid pleasures and palaces though we may roam, Be it ever so
humble, there s no place like home.
”John Howard Payne
Users want to be untethered: they want to be able to go wherever they want, whenever they want, and still have access to their important data. Whether this is actually a good idea is the subject of some debate; I have a good friend who is a project manager for a company that works on
Exchange Server 2003 provides mobile access using several different tools, protocols, and services. Understanding these will help you better identify which security measures make sense for the particular mix of
First, let s dispense with the old-style clients. Microsoft Office Outlook 2003 with RPC-over-HTTPS
Outlook Mobile Access (OMA) is designed to render selected Exchange store content to handheld and mobile devices. OMA supports devices that use Wireless Access Protocol (WAP) 2.x protocols; this includes support for Hypertext Markup Language (HTML), Extensible HTML (XHTML), and Compact HTML (cHTML) ”the markup language used by i-Mode devices. OMA devices make connections to the front end, which proxies their
OMA provides access to your Exchange Inbox, Calendar, Contacts, and Tasks folders; you can look up entries in the Global Address List (GAL), and you can flag messages or mark them as unread. However, the data you see isn t persistently stored on your handheld; for example, on the SonyEricsson T68i (which features a built-in calendar and contact application that can synchronize with Outlook), if you create a new appointment using OMA it won t be added to the phone s calendar. That means that you only have access to your Exchange data when you re online with your Exchange servers. I usually describe OMA as OWA for handhelds, because that does a good job of summarizing how it works.
OMA normally uses Secure Sockets Layer (SSL) to protect its Hypertext Transfer Protocol (HTTP) sessions from end to end. For devices that are using WAP, the wireless carrier might allow the use of the Wireless Transport Layer Security (WTLS) protocol, which is based on the Internet-standard Transport Layer Security (TLS) protocol we ve talked about before. WTLS is used between the device and the WAP gateway; HTTPS is used from the WAP gateway to the OMA server. Neither the
If you re using RSA s SecurID system, you ll be happy to know that OMA works with it; this is because OMA can be used with the Internet Information Services (IIS) and Internet Security and Acceleration (ISA) filters required for SecurID compatibility. However, you must be using devices that are certified as compatible by both Microsoft and RSA Security.
Exchange Server ActiveSync (EAS) actually synchronizes your Exchange data to a mobile device. This functionality obviously depends on having a mobile device that runs some version of Outlook, so it s only available for Microsoft Windows “ powered devices like the Pocket PC 2002 (and later) line, the Pocket PC Phone editions (both the Pocket PC 2002 Phone Edition and the Windows Mobile 2003 Powered Pocket PC Phone Edition), and the Windows-
EAS can perform both on-demand and scheduled synchronizations, and it allows access to all the folders in your mailbox ”a handy feature. EAS allows access to message attachments, and it allows the server to send periodic always up to date (AUTD) notifications to the device so that the device can initiate a synchronization ”this is a simple way to simulate the push approach that Research in Motion (RIM) uses with its BlackBerry devices. AUTD notifications are actually Short Message Service messages originated by the Exchange server and gatewayed by the wireless carrier; you can configure Exchange to send these notifications at whatever interval makes the most sense for your users. Beware, though: most
By default, EAS uses 128-bit SSL to protect all of its communications.
Of course, Microsoft isn t the only company to have figured out that users want mobile access to their Exchange data; in fact, they re not even the first company to figure it out. That
First is RIM s BlackBerry software, which comes in two types. The individual desktop version acts as a redirector that runs in conjunction with Outlook; the BlackBerry Enterprise Server (BES) runs on an Exchange server and redirects mail for multiple users. In either case, mail from the selected mailboxes is encrypted by the BlackBerry redirector, then sent over the Internet to RIM s service center. From there, it s encrypted for the specific device owned by the recipient and transmitted over his or her radio network. If the device is in range of a transmitter, and it s turned on, it receives the message. The other noteworthy product is Good Technology s GoodLink product, which does more or less the same thing as RIM s BES software with a different set of supported handhelds and service providers.
The security implications of these products are pretty obvious:
An attacker who can interfere with the user s desktop machine can prevent new mail from reaching the user, because the desktop redirector has to be running for mail to be transmitted.
All mail has to transit both the Internet and the service provider s network. This might or might not be of concern, depending on how secure you think those networks are and how much you trust the providers.
Any product that can proxy mail for multiple users will of necessity have a service account, or something like it, that has access to multiple mailboxes. If an attacker can compromise this account, he or she can masquerade as any of the users to which that account has permissions. Accordingly, this account should be protected with an extrastrong password, and its use should be