The best way to achieve an understanding of the merits of the
implementation of security in the wireless environment is to
compare it to the implementation of security in the fixed-wire
world, that is, the Internet.
Internet Communication Model
A typical example of the Internet communication model is shown
in the diagram below:
The Internet communication model assumes that a client PC
connects to a server via an ISP dial-up connection. The client will
be connected into the ISP systems over a PSTN or ISDN link, with
PPP usually used as the bearer protocol.
The connection point on the ISP network is to a RAS server,
which will perform certain functions on behalf of the remote
client. In particular, the RAS server effectively acts as a proxy
for the remote client, collecting network packets and forwarding
them across the dial-up link. The RAS server is responsible for
validating the client that is dialling in, and there are various
means at its disposal to do that. The RAS server is typically on a
secure part of the ISP network and thus provides the illusion to
all other devices that the remote client is in fact also on the
local network.
The ISP secure network environment is usually isolated from the
Internet by means of a firewall of some sort. This firewall will
attempt to regulate traffic that enters the local network, and
protect the devices on the local network from malicious attacks
over the Internet. The ISP may also choose to run one or more web
servers and/or other facilities in a way that is more easily
accessible to the public, and by extension also more vulnerable to
attack. This area of the network is referred to as the
demilitarized zone (DMZ), and is usually on a separate
network segment from the secure area. Note that this is only one
possible configuration for a network. Any particular implementation
is likely to be far more complex and to be different in any number
of ways.
Access to the Internet is typically facilitated by one or more
gateway devices, which are connected both to the ISP network and to
some other network, possibly one run by one of the global Internet
backbone providers. Any message entering the network across the
gateway will be forwarded from gateway to gateway across the
Internet, until it arrives at the destination network. It will then
cross the gateway and enter the local network of the target host.
In a way similar to the ISP, the host may also have a DMZ which
houses the web server, with traffic entering the secure network
filtered through a firewall. The firewall may only permit traffic
originating from the web server to enter the secure network. On the
network behind the firewall will reside any additional applications
required to fulfil the request, and these will be used by the web
server as required.
In examining the Internet model from the perspective of who
controls or has the ability to influence the connection from a
security point of view, it is apparent that the TLS connection
exists between the client device and the web server. In effect this
forms a tunnel between the client and server, and anyone
penetrating this tunnel would not be able to decipher any messages
intercepted. The ISP retains responsibility for the devices on its
own network and for validating that the client is permitted to
connect to the network in the first place, but has no ability to
influence the TLS session. The extent of each parties influence is
illustrated below.
Wireless Communication Model
The wireless communication model is more complex because there
are more ways in which the connection could be achieved. The model
that we will examine at this point in time is one which many,
possibly the majority of, connections that take place between the
person-in-the-street and some WAP enabled web site will take place
over. That is not to say that this is necessarily the best model
from any particular point of view, just that many connections will
be effected in this manner. This model is illustrated below:
In this model the remote client is a mobile device, but still
dials into an RAS server on some network somewhere. This is likely
to be an RAS server hosted and owned by the network provider, and
is therefore likely to be on the network provider's own local
network. The network provider will typically also host the WAP
gateway, and a web server to provide access to the premium rate
services that the network provider offers to their members. If
access is required to services hosted on another server somewhere
across the network, then the WAP gateway will act as a proxy for
the client mobile device in establishing the required sessions with
the remote host.
From the point of view of security, this scenario has various
implications. WTLS is the security protocol that will be used to
secure communications to and from the mobile device, but the mobile
device's session is necessarily with the WAP gateway rather than
the remote host's web server. At the gateway, the secure session
terminates and all encrypted material is decrypted. Should there be
a requirement for a secure session for communication with the web
server, it will be established by the WAP gateway on behalf of the
mobile device. The WAP gateway will use TLS to establish such a
secure session. While TLS is obviously a robust security protocol,
it remains a fact that the secure session is not between the mobile
device and the web server. There are actually two secure sessions
in play: one between the mobile device and the WAP gateway and the
other between the WAP gateway and the web server. This means that
there is a security gap, in which the data is not encrypted, at the
WAP gateway.
This gap, and the span of control of the host server and network
operator are illustrated below.
The host server's span of control is severely compromised in
comparison to the Internet model. In fact, the host has absolutely
no control over the security that exists between the mobile device
and the WAP gateway. The host also has limited control over the TLS
session between the WAP gateway and the web server, and will be
limited to providing security that does not exceed a level
determined by the network operator. This may or may not be adequate
for the host.
Email TopXML