With the development of technology, we may confront the fact that mobility in business environment is becoming a more and more crucial element to determine the position of a corporation and its long-term profitability. Enhancing the use of mobile devices to improve the organization’s productivity comes to be the top priority of a business entity’s agenda, at the same time, security and risk concerns cannot be ignored.
Mobile Device Management solution provided by IT Solution Vendors such as SAP and Oracle has become a mainstream for managing mobile devices’ compliance of organizational IT policy and security. The objective of this paper consists of several components. First, we will reviews the currently available MDM solutions and select the best one based on predefined criteria. Second, we will determine the weakness and risk of the selected MDM. Third, we will incorporate some emerging technologies that will potentially eliminate the weakness and mitigate the risk of the selected MDM. Finally, we will evaluate the selected supporting technologies and provide improvement recommendation in order to create a more secure MDM deployment model.
We will start with security policy.
1.1.1 The Need for Policy
Mobile security is a combined concept, which involves multiple layers of security, including communication security, operations security and information security. Among all, information security stands out and we should pay enough attention to protect it. The C.I.A triangle was used to address the importance of three characteristics that give value to corporations (C stands for confidentiality, I stands for Integrity and A stands for availability), although more critical characteristics have been added into this triangle to make it an expanded concept, which are accuracy, authenticity, utility and possession, the essence of the triangle doesn’t change. By that I mean, an integration of management of information security, computer & data security and network security will be led by policy to constitute the whole information security. Then we may realize the importance of policy to give a guidance to show how to standardize the mobile devices and usage.
1.1.2 Overall Policy
Enterprise Information Security Policy (EISP) will be an overview of the organization’s established security guidelines. It shapes the philosophy of security strategy and acts as an executive document. Typically, EISP doesn’t change a lot because it follows the strategy of an organization, but we also need to take changing environments into account, especially the proliferation of mobile devices involved.
1.1.3 Specific Mobile Policy
When revising existing information security policy, we should consider several elements: business requirements, assets classification and prioritization, user tiers, personal data isolation, levels of service provided, monitoring and controlling policy execution, cost plan & stipend schema and policy extensibility (for future mobile devices or platforms) etc. Newly edited policy is needed to meet the speed and complexity of IT infrastructure evolution.
1.1.4 Integrate Policy into Solution
After the framework has been done and the policy is settled, an integration of policy and solution are called for to provide mobility in business a strong backup force. In latter session, we will discuss the solutions provided by main vendors in current markets.
1.2 Risk Management
1.2.1 Need for Risk Management
In order to prepare fully for emerging risks of mobile devices, we need to understand the components of risk management, which are Risk Identification, Risk Assessment and Risk Control.
1.2.2 Risk Identification
Firstly, we should know ourselves, by which I mean all the information, data and other assets can be accessed by mobile devices should be identified, recorded, classified and prioritized by its importance, approachable levels and vulnerability levels. For example, core business confidential documents will be the top priority, so only the top management or some professionals have the access to those data, by which we determine the security clearance. But it is not sufficient, and we also need to adopt the most secured techniques to do an enhanced protection, no matter the cost of the technology. But for the less important data, we can involve more employees to have access to it to boost productivity, and the technology adopted is unnecessarily too sophisticated. We should take cost effectiveness into consideration.
1.2.3 Risk Assessment
We should identify vulnerabilities between assets and threats, then identify and quantify asset exposure. Based on the work done in the previous procedure, we would do a match. For example, we may calculate the likelihood of customers’ purchase records to be leaked out to our competitor company by employees’ non-compliance to mobile devices policy. After all the necessary items are assessed, the results should be documented for further use and reference.
1.2.4 Risk Control
A comprehensive control framework will be established. Different strategies will be chose to control the risks resulted from possible vulnerabilities. There are major five strategies: Defend, Transfer, Mitigate (includes: Incident Responses Plan, Disaster Recovery Plan and Business Continuity Plan), Accept and Terminate.
1.3 Current MDM Solutions Available in the Market
It is hard to trace back the first Mobile Device Management (MDM), but it is obvious that the creation of those solutions is an echo to the changing environment of mobile devices’ proliferation in business use. Nowadays, almost 30 famed vendors have expanded their business into this area by providing various MDM products with different features and most of them have their advantages, as well as disadvantages. You need to trade off when selecting a solution for your corporation. Most of them are listed as follows from A to Z): Absolute Software, AirWatch, BoxTone, Excitor, FancyFon, Fiberlink Communications, Fromdistance (acquired by Numara Software), Good Technology, Kaseya, McAfee, Microsoft ActiveSync, Mobile Active Defense, MobileIron, Motorola Solutions, Notify Technology, Odyssey Software, RIM, Smith Micro Software, SOTI, Sybase, Symantec, Tangoe, Trend Micro, Wavelink, Zenprise, etc.
Ten MDMs Review
It pays attention to condition monitoring of devices and desk control. It provides supports to Android, iOS, BlackBerry devices, Windows and other platforms. It stands out with advanced reporting function by the dashboard with all the detail information, which can give users a friendly interface. AirWatch also enables multi-users to access data simultaneously and selective separation of users.
This product has a long history of providing service to BlackBerry users, and is famous for a deep integration with BlackBerry Exchange Server (BES). But now it also provides multiple platforms like Android, iOS and Windows Phone 7. BoxTone emphasize real-time analysis, comprehensive service quality management and policy & compliance execution.
* Fiberlink Communications
The product of this vendor is called Fiberlink MaaS360, and it places extra emphasis on Software as a Service (SaaS) and Hosted service of enterprise mobile management. It supports Android, iOS, BlackBerry devices, Web OS, Windows Phone 7 and other mainstream operation systems. The strengths are its analyzing tools and reporting functions.
* Good Technology
The solution helps the users to manage their own mobile devices by it well-behaved enterprise platform and good performance of mobile security. Especially the email encryption system, which is independent from platforms, is well known, as well as its outstanding authentication and authorization service. Additionally, the solution is compatible to Microsoft Exchange and Lotus Notes.
Security expert McAfee took its first step into MDM market by acquisition of Trust Digital, a privately held online security company that specialized in security for mobile devices. Now McAfee EMM can provide support to Android, iOS and other platforms, McAfee also devotes itself to expand the product mix.
MobileIron Visual Smart Platform (VSP) was the first solution to integrate intelligent data & device management and real-time telecom cost control. It provides service to enterprise and individuals at the same time. It can also support multi-platforms including Android, iOS, BlackBerry, etc.
Sybase Afaria of SAP provides a comprehensive security service and management to mobile device users. It was created in as early as the 1997, and later was transformed to Palm and Windows platforms. Now it supports not only the previous platforms but also the mainstream ones as Android, iOS, BlackBerry and etc. Afaria enables the users to isolate or control applications to have access to business data and VPN connections by providing an email client-side with built-in VPN.
It manages and controls mobile devices through its Symantec SMM solution by providing support to Android, iOS and BlackBerry devices, but it doesn’t support Web OS and Windows Phone 7.
This solution serves as a Telecom Expense Management (TEM), but now it has successfully integrated TEM and MDM. The client portal can receive various data including voice message, short message and other messages, and operates monitoring and management according to the specific customers’ and network administrators’ requirements.
It provides end users with filtering of web contents and URL, which stands it out from the general mobile device management applications. It additionally supports Web OS and Windows Phone 7
2. Research Methodology
2.1 Criteria for selecting MDM
From a brief analyze of the existing solutions, we may easily find out the multi-platform support is a very important criterion to evaluate a MDM solution. However, it is the only item to select a most suitable solution for an organization. Especially taking security into account, we need to evaluate a product from all aspects. Here are some criteria we may consider: * Enforced Password Protection
Password logging is quite basic for an enterprise-class application, so it is the baselines for evaluation the MDM, and we may find many solutions have already adopt more methods to enhance the access protection, such as dynamic password.
* Remote Control/ Lock
When the device is lost or stolen, remote control is very crucial to protect core business data. This feature also distinguishes devices in business use from consumer mobile phones.
* Selective Data Wipe
This characteristic is important especially in BYOD, because private data is inevitable in employee-owned devices. The company should protect business data not sacrificing respecting the device owners.
* Data Leak Prevention
We need to pay more attention to the users who have been authorized to access confidential data, that’s because data leak is due to this kind of misusing of data.
* ActiveSync Device Restriction
If data leak or damaged resulted from access to confidential data from ActiveSync is not approved by administration, the consequence can be serious. We should also restrict this access way.
VPN stands for Visual Private Network. It is an old-fashioned way to have limit access to enterprise network but it still works. In the later session, in the newly solution we arise will talk about it more deeply.
Nowadays, encryption technologies have been mature, and we can take a lot of sophisticated ways to encrypt sensitive data, like hybrid cryptography systems.
* Condition Monitoring & Reporting
Some existing solutions did a good job in real-time monitoring and friendly interface reporting templates. It will get better market share by entertaining the top management.
* Jailbreak/Root Detection
The ability to detect jailbreak (on iOS) and root (on Android) will help the organization to plan ahead and take measures to meet the security needs.
However, most of the existing solutions prefer to take on-premise strategy, maybe that’s because the traditional way to provide security is more reassuring. We also need to make it clear that if the company lacks the internal expertise, budgets or enough time to deploy and configure on-premise solutions, cloud-hosted solutions may be a better choice. In addition, we can expect more secured ways cloud help to protect confidential business data. We will further talk about it in the new solution introduction session.
3 Results Analysis & Presentation
Based on the criteria we have previously defined, we select McAfee Enterprise Mobility Management (EMM) as the core component in our secure corporate mobile device management deployment model.
3.1 McAfee Enterprise Mobility Management (EMM)
McAfee Enterprise Mobility Management (EMM) is a mobile security solution aims to provide a complete solution to embrace devices with diverse platforms, including Apple iPhone, Apple iPad, Android, and Symbian Windows Mobile. With the sweeping smartphone revolution, a centralized solution for enterprise mobility management has become a critical issue. As a combination of secure access, strong authentication, high availability, anti-malware, scalable architecture, and compliance reporting in one system, McAfee gives a complement to Microsoft Exchange ActiveSync (EAS) which spreads widely, as a traditional tool, around worldwide organizations.
To cover the full lifecycle of devices and drive down mobile devices management, McAfee EMM excels in the following areas:
* Simplified provisioning
McAfee EMM makes the fully configuration, along with WiFi, VPN, and PKI, into an easy style. * Functional expansion
To benefit personal devices, McAfee EMM not limited in what it can do. * Strong authentication
Without any other negative impacts, on performance or battery life for instance, McAfee EMM consolidates the authentication. * Detailed reporting
Collecting more data and metadata, as well as real-time information, about the device, McAfee EMM can post a more detailed report. * Application mobilization
Based on a proper platform, more applications will be launched intent to build a mobilizing business environment.
However, numbers of shortages still exist in this solution:
* Remote control
The lack of remote control brings more difficulties for professionals to take over the device when received requirements from users. * Monitoring and alerts
The ability to create special monitoring and alerts rational improves the level of consumer-centric. * Data Leak Protection (DLP)
To prohibit from the risk of inadvertent or deliberate data leaks, especially for confidential information, DLP is a necessary.
3.2 Supporting Technologies
In order to compensate the shortages and maximize security level, we suggest incorporating some emerging technologies to this deployment model. These
technologies can be categorized into Infrastructure, Communication and Access Control.
3.2.1 Infrastructure -Virtual Desktop Infrastructure
Virtual Desktop Infrastructure (VDI) is a technique widely used by enterprises in information security nowadays. With the help of virtualization, it combines all computing activities from the clients in a datacenter of the company, and the clients will only input, output, and display data. Theoretically speaking, staff can visit the virtual desktop with their mobile devices anywhere.
VDI provides a remarkably secure environment for an enterprise, and it excels in the following aspects:
* Recognized applications
All applications on the virtual desktop are filtered by the network management center, so all applications used by staff are proved safe. * Centralized strategy configuration
Network management center will formulate the strategy configuration for all end users, so the uncertainty of the IT environment, which is caused by individual strategy configuration, is cut down greatly. * Centralized data protection
Data is stored on the server, and the screen of a user will only display it but not save it, the risk of data leak is at a low rate. * Convenient data management
Since data is on the server, network administrators only need to manage and backup data on a certain number of virtual machines. * Two-factor authentication
Via this authentication method, the connection from the client to the server is well encrypted.
However, VDI still has its limitations:
* High expansion cost
The enhancement of storage and computing function in VDI needs a great amount of extra investment. * Single datacenter
Under the circumstance of virtualization, end-users are not able to visit the server if there is a network connection problem in the datacenter, and it is hard to set up and switch to more datacenters.
Therefore, VDI is not a perfect solution and it still needs to be optimized.
3.2.2 Communication-Internet Protocol Security Virtual Private Network
Internet Protocol Security (IPSec) is a security frame structure. It provides significantly end-to-end security on network layer, and it allows user to choose appropriate security function according to certain characteristics in different parts of the path.
Internet Protocol Security Virtual Private Network (IPSec VPN) is a VPN technique based on IPSec. With the help of IPSec, it creates a secure channel in the public network and encrypts the data on IP layer, which provides a private network function. Once an IPSec channel is created, all information during the communication is encrypted.
IPSec VPN is a popular technique in information security partly because of the following advantages:
* Extensive compatibility
IPSec VPN supports most advance channel protocol and firewalls, and it also support authenticate methods such as RADIUS, Tokens, LDAP and PAP. * Separated channels
Access to Internet, intranet and extranet can be supported by IPSec VPN in the same time. Under this circumstance, the access authority of users can be well designed, allowing users to use network resources securely and flexibly. * Broad connection
One terminal in IPSec VPN can be connected by thousands of branches.
IPSec VPN yet cannot solve the coming problems:
* Complicate implementation
A user has to install complicate client when he wants to apply IPSec VPN. Moreover, the operation and maintenance of this system requires lots of IT support. And once the user wants to change his VPN strategy, the difficulty of VPN management will increase incredibly. * Poor expansibility
In general, IPSec VPN is deployed on the network gateway (network layer). If any new devices need to be added, the user must deploy the VPN again in the view that the network topology will be changed. This causes the poor expansibility of IPSec VPN. * Zero protection for inner data
Since IPSec VPN is deployed on the network layer, the intranet is unlimited to the VPN users. It means that once an intruder hacks in a device used for remote working, he can access the inner data by simply running the VPN client.
Above all, IPSec VPN is not enough to ensure the security of a company.
3.2.3 Access Control-Location-based Service Access Control
Location-based service (LBS) is a popular technology frequently used in providing the location information. Through certain number of signal stations that serve the mobile devices, LBS can provide the geographical position via certain signal mode. This geographical position of the device can be generated by various techniques such as time difference of arrival (TDOA) and Enhanced Observed Time Difference (E-OTD). In addition, LBS could also be used in access control.[ ]
Most employees (except those frequently have business trip) work in certain fixed positions, and mostly are the company or their home. Once there is a connection declaring him an employee, but it is trying to access from a different place as usual, chances will be good that he is actually an intruder. To avoid this risk, the Movers’ solution will set up a database to record users’ fixed working position, and compare with the current position of a user when trying to access. Both positions obtaining process will be done by LBS. If the result comes out as difference, the system will active the second verification process, beside the normal password, the user has to answer a particular question that generated by him/her. Only if both verification processes is valid, the user can access to the company system.
LBS access control is an effective solution and it excels in the following aspects:
* Low cost
LBS is a mature technique, its deployment cost is low.
* Reduce the risk of information disclosure
Even if a user’s mobile devices and the password are stolen, the intruder is not likely to access the company system in a different place. * Hierarchy access control
For the most confidential information, instead of active the second verification process, the system will directly deny the access from unusual locations.
3.2.4 Infrastructure-Remotely Wipe for Lost Devices
It is very common that an employee loses his mobile device. However, this is a great threat to company’s information security. People who have obtained a lost device can easily access all information stored in it. In the view of solving this problem, most mobile phone operators provide the service to remotely wipe the data in their phones. In fact, what they do is merely to delete the data and restore the factory settings. As the data recovery technique is highly developed nowadays, if the original data is simply deleted and the position it formerly existed is not covered by any new data, it is still restorable. The Movers’ solution for this problem is to apply the file-cover technique. With this technique, when an individual remotely wipe the data on his phone, immethodical file will be generated on the same position after the deleting process. In this way, the original data cannot be restored any more.[ ]
3.2.5 Infrastructure-Cloud-Based Mobile Device with Private Cloud
The Google Chromebook demonstrates how a cloud-based device and cloud infrastructure can increase security by the following ways[ ]: 1. It eliminates the need of installing Anti-Virus software because no application downloading means no malware downloading. 2. Resource for security control can be reallocated and centralized on protecting the cloud infrastructure. 3. The nature of low storage capacity encourages users to rely more on cloud storage, which eliminates attacker’s desire to compromise the local storage on the cloud-based devices.
Yet, it is risky to process highly sensitive data or privacy data on public cloud since vendors may not handle them as rigorously as the client organization does. In contrast, private cloud solves all these issues. In contrast, private cloud solves all these issues.
This Chrome Book example gives us an idea of what a mobile device that can work securely with cloud should look like. Manufacturer should develop a cloud-based mobile device that share the specification characteristic of the Chrome Book (e.g. Cheaper, low storage capacity, minimized number of processes running in background) and can be optionally reconfigured to work with the client’s private cloud for achieving higher level of security, control and flexibility.
3.2.5 Access Control-Multifactor Authentication by Mobile Devices Multifactor authentication on mobile devices is one of the components in our solution. Traditionally, multifactor authentication is achieved through the use of token device. Advancing mobile technology have enabled the opportunity of using mobile device as a medium for multifactor authentication. [ ] This mechanism generates dynamic password by having the users to enter their username and PIN in the authentication mobile client application. Traditionally, there are two mechanisms of multifactor authentication with mobile devices, Connection-Less Authentication System and SMS-Based Authentication System. Their procedures are shown as follows:
1. User input their username and PIN on the mobile client software. 2. A One Time Password (OPT) that is only valid for a particular time set up by user, is generated locally on the client application by an algorithm based on factors including the phone’s IMEI and ISMI, Username, PIN and request time. 3. The authentication server will generate the same password based on the same factors, which have been stored in the server since the user registered the device. 4. The user submits the generated OPT to the server.
5. Server matches the submitted OPT with the OPT it has generated. If they match, access is granted.
1. User input their username and password on the mobile client software to request a password from the authentication server 2. A One Time Password (OPT) that is only valid for a particular user chosen time interval, is generated remotely on the authentication server by an algorithm based on factors including the phone’s IMEI and ISMI, Username, PIN and request time. 3. The authentication server sends the generated password to user’s mobile device via SMS. 4. The user submits the received OPT to the server.
5. Server matches the submitted OPT with the OPT it has previously generated. If they match, access is granted.
Multifactor Authentication on mobile phone instead of token device provides several benefits.
* Cost Saving- Using mobile device as a password generator eliminates the needs to manufacture and issue token devices to clients. Cost burden on both client and organization can be substantially reduced. * Convenience- the number of devices carried by the client is reduced, which reduces the likelihood of losing a token device.
However, this authentication method does not achieve the maximum security since the generated password its still belong to the “What you know?” authentication category. In the case that the attacker have successfully stolen the device and know the user ID and PIN of the victims, the security will be compromised as the attacker generates the One Time Password (OPT) on the device.
4.1 Problems and Risks for Selected Technologies
Although the selected supporting technologies will cover the major limitation of the McAfee EME Solution, we are aware of the risk and limitation that comes with some of these technologies. For the sake of achieving a higher level of security, we recommend to improve these technologies in terms of security again as well as what we have done for the McAfee MEM Solution. Firstly, we summarize the limitations and problems on some of the selected supporting technology.
Problem for Internet Protocol Security Virtual Private Network
* Complicate implementation
* Poor expansibility
* Zero protection for inner data
Problem for Multifactor Authentication by Mobile Devices
* Only supports “what you know?” password
4.2.1 SSL VPNs Application in Mobile Devices
In order in address the problem for Internet Protocol Security Virtual Private Network, we suggested to improve this technology with SSL VPNs Application in Mobile Devices.
Most of enterprises use Virtual Private Networks (VPNs) to create a more confidential Office Automation environment over untrusted networks like Internet. VPNs provides organizations secure communication by using both authentication and encryption technologies, which allow remote staffs to search customers’ information, receive eternal emails, check orders and transport private business data via public network by using mobile devices. Furthermore, with the widespread deployed WIFI hotspot and usage of smart phone, increasing remote users begin to leave their laptop behind and rely on mobile devices like smart phone and pad. As we know, most enterprise VPNs are built by using IPSec and IPSec VPNs, which consists of several IPSec gateways and client-software installed on remote access devices. However, the processors of small mobile devices are slower and their memories are lesser. What’s more, the application compatibility of different operation systems platform on mobile devices, such as IOS, Android and Windows Phone, are quite different, which leads to many difficulties to install IPSec VPN client-software on mobile devices. In order to solve this problem, we have designed a new VPN solution for enterprise mobile devices by using SSL. 188.8.131.52 SSL Technology
Secure Sockets Layer (SSL) is cryptographic protocols that provide communication security over the Internet . SSL encrypts the information at transport layer and application layer. SSL use asymmetric cryptography to exchange public key and private key, use symmetric encryption to guarantee confidentiality and use message authentication codes to make sure the information is completely transported. 184.108.40.206 Apply SSL VPNs in Mobile Security Solution
The problems of IPSec VPN have been mentioned at the former chapter of this report. IPSec VPN requires remote users to login client-software and gives them a network-layer connection protecting the whole edge of companies’ private network. On the contrary, SSL VPNs established based on SSL protocol, it offers application-layer connection. The advantages of SSL VPNs are shown as following:
* SSL combines public-key and symmetric-key encryption together to ensure the security of data. * Before messages exchanged, SSL begins with a handshake, which allows remote user to authenticate himself to server and also let server to authenticate to remote user. Then they start to encryption, decryption and integrity. As chart 2-1 shown below.
* The symmetric encryption of SLL is well designed. After handshake the symmetric encryption would generate a timestamp and a message authorization code (MAC) for every message at the same time to prevent message tampering attack and message replay attack.
“Encrypt (message) + MAC (message + timestamp)” 
* SSL VPNs is flexible. In order to enable remote users to access organization’s private network through an ensured secure Internet connection, SSL VPNs is founded as standard in Web browsers. It solves the compatibility problem of IPSec VPN. SSL VPNs separates operation system and browsers into independent module, which enable remote user to access eternal network server from different mobile operation system and platforms. * “SSL VPNs is clientless VPNs “. All the web browsers in mobile devices today all have SSL protocol built in. It will be unnecessary to install additional client-software on remote user’s mobile devices.
* SSL VPNs is a less expensive option. By using SSL VPNs, organization don’t need to change their eternal network architecture anymore, and don’t need to purchase solution with support client-software. SSL VPNs is much cheaper to implement compared to IPSec VPNs. The core value of SSL VPNs is saving cost. * SSL VPNs could provide a more granular way to manage and control eternal network resources. “IPSec VPN grants hosts access to entire subnets rather than creating or modifying selectors for each IP address.”  So all the data transported in eternal network are visible via IPSec VPNs. On the contrary, SSL VPNs could filter the remote users and determine their access to different individual application on private cloud because it is at the application layer.
4.2 Incorporating Facial and Vocal Recognition into Multifactor Authentication
In order in address the problem for Internet Protocol Security Virtual Private Network, we suggested to improve this technology with Incorporating Facial and Vocal Recognition. In order to maximize the degree of security of this authentication mechanism, we propose to incorporate facial and vocal recognition technologies, which are currently available in numbers of mobile devices in the market, to mobile device based multifactor authentication.
The user will be able to optionally customize the authentication method in order to satisfy their security need. They can optionally include facial or vocal recognition as a required extra step after the mandatory username and PIN requirement for generating the OTP.
McAfee is the best Mobile Device Management Solution currently available in the market based on our predefined criteria. However, chinks do exist in the armor, there are number drawbacks still existing in this solution. Consequently, mobile security is still not optimized with only this MDM solution. We propose to incorporate some remarkable emerging technologies into the deployment of McAfee in order to compensate its drawback. Meanwhile, these supporting technologies are re-evaluated again for improvement opportunity in order to mitigate risks and achieve more security. By deploying the McAfee with the supporting technologies mentioned above, organization will be able to maximize security level in terms of Access Control, Infrastructure and Communication. All supporting technologies will function collaboratively to support the deployment of McAfee EME. As a result, a secure mobile computing environment is achieved. The entire deployment model can be explained graphically as follows.
 T. Dierks, E. Rescorla, “The Transport Layer Security (TLS) Protocol, Version 1.2”, August 2008.  A. Freier, P. Karlton, P. Kocher “The Secure Sockets Layer (SSL) Protocol Version 3.0”. August 2011.  Ray Stanton, “Securing VPNs: comparing SSL and IPsec”, Computer Fraud & Security, September 2005.  Ray Stanton, “Securing VPNs: comparing SSL and IPsec”, Computer Fraud & Security, September 2005.