Many handhelds run either the Palm platform or a version of Window Mobile. So the good news is that Bluefire’s firewall works for millions of devices. However, there are a fair amount of cutting-edge handhelds that are left out in the cold. If you are using a RIM BlackBerry handheld or a device running the Symbian or Linux platforms, you won't be able to take advantage of the protection Bluefire's firewall can offer.

Why You Need a Firewall
Handhelds often have more points of entry than desktop systems. Today's devices have synchronization points of entry, radio frequency points of entry, and TCP/IP points of entry. You need to be able to block rogue traffic from all these entry points and Bluefire's Mobile Security Suite can do just that.

The service that users most often forget to take into consideration when it comes to security is usually the synchronization service. Palm OS devices synchronize data through HotSync, and Windows Mobile devices synchronize data through ActiveSync.

Various synchronization vulnerabilities have been identified by leading security experts and are public knowledge to hackers. Certain synchronization vulnerabilities are listed in Table 1.

Table 1. Some Known Synchronization Vulnerabilities for Handhelds

Operating System Affected	Description	URL for More Information
Palm OS	Buffer Overflow	http://www3.ca.com/securityadvisor/vulninfo/Vuln.aspx?ID=7029
Palm OS	Authentication Vulnerability	http://www.securiteam.com/securitynews/5VP0I000AO.html
Palm OS	Denial of Service Attack	http://www.securiteam.com/exploits/3L5QMPPPQG.html
Windows Mobile	Denial of Service Attack	http://www.securiteam.com/windowsntfocus/5AP0O0U9FC.html
Windows Mobile	Denial of Service Attack	http://www.cs.nmt.edu/~cs553/paper3.pdf

When you synchronize your handheld with a desktop or laptop, you want to know where the data is coming from. On a Palm device, when you evoke synchronization, you open up TCP ports 14237 and 14238, as well as UDP port 14237. With a handheld firewall, you can setup a rule that says, "Allow synchronization data to enter my handheld only from my one trusted laptop IP address."

Similarly, ActiveSync uses TCP ports 990, 999, 5678, and 5679. You want to know what IP addresses are trying to send synchronization data into those ports. With a handheld firewall such as Bluefire's, you can setup a policy (often referred to as a "rule") to stipulate the source address of the inbound data.

How Bluefire's Firewall Works
Using Bluefire's Mobile Security Suite, you can set up security policies and then enforce them using the firewall. The firewall software is just one part of the Bluefire Agent. (Other features included in the Agent are intrusion detection, device authentication, security management, integrity management, and encryption management.)

As with any firewall, with Bluefire you can block entire domains, IP addresses, or network addresses from sending any inbound data to your handheld. However, aside from blocking TCP and UDP ports, you can also prevent synchronization from taking place, and also block wireless radio frequency communications.

The firewall has a graphical user interface that you configure in the same way you typically configure other firewalls. Installed out of the box, Bluefire's firewall comes with four default firewall policies that are already set up for you.

These policies are known as FW1, FW2, FW3, and FW4. The first level, FW1, is setup to trust no one. The second level, FW2, is setup to trust a small amount of inbound traffic. The third level, FW3, is less restrictive and trusts some inbound traffic. The fourth level, FW4, trusts all inbound traffic. Table 2 summarizes the four out-of-the-box policy settings and trust levels that Bluefire's firewall sets up during standard installation.

You can create new policies that are different than the default policies, and you can copy any of the default policies into a new policy, and then modify it. If, for example, you want to create a policy (or rule) that only allows synchronization data to enter your handheld from IP address 192.168.0.42, then you could setup a rule that looks like the one listed in Table 3.

Table 3. Firewall Rule to Allow Synchronization with Specified Source System

Rule Name	Direction	Event Name	Protocol	Source Port	Destination Port
ActiveSync with laptop	Inbound	Allow info-activesync in	TCP	999	*

Bluefire's graphical user interface shows how firewall rules are configured in Figure 1.

One of the limitations of Bluefire's firewall is that currently it does not offer the capability to identify the Source Port IP address. This means that traffic intended for the source port has to be set in a sort of all-or-nothing type of configuration—let it all in or keep it all out.

According to Bluefire, they are currently developing the ability to specify a source IP address and this functionality will be available later this year. Even without the source IP address functionality, Bluefire's firewall is still the most advanced handheld firewall on the market.

When you are configuring your Bluefire firewall, one strategy is to use the same security policy that you use for desktop systems. If you are blocking HTTP on your desktop systems, it makes sense to block HTTP on your handhelds as well.

Unless there is a reason not to do so, your handhelds should follow the same security policy that your other client systems follow.

Handheld Firewall Upshot
If you are responsible for implementing and enforcing security on an enterprise network, and are considering allowing handhelds to connect to your network, you may want to take into consideration which handheld operating systems can be protected by firewalls.

Even if you don't want to install a firewall on your handheld initially, it's nice to know the option exists in the event that your network starts encountering serious handheld security problems.

Handhelds have numerous points of entry, including synchronization points, modems, and different types of wireless entry points such as infrared, Bluetooth, Wi-Fi, If you surf the web with a handheld, Trojans can become inadvertently downloaded through your Web browser.

Bluefire's firewall, which is part of the Bluefire Mobile Security Suite, can help safeguard your data and decreases the risk that your sensitive information could be compromised.

Keep in mind that the Bluefire Mobile Security Suite offer more than just a firewall. There are also authentication, encryption, and integrity management features too.