WAP Gateway at the Host

Some businesses and organizations, particularly in the financial, healthcare, and government sectors, may have legal requirements to keep their customers’ sensitive data protected. Having such sensitive data exposed outside the organization’s internal control may pose an unnecessary risk and liability. To some, the “gap in WAP”

presents a broken pipeline, an obvious breach of confidentiality that is just waiting to be exploited. For those who find such a breach unacceptable, one possible solution FIGURE 3.1 WAP gateway at the service provider.

Remote

is to place the WAP gateway at the business host’s own protected network, bypassing the wireless service provider’s WAP gateway entirely. Figure 3.2 provides an exam-ple of such a setup. Nokia, Ericsson, and Ariel Communications are just a few of the vendors offering such a solution.

This approach has the benefit of keeping the WAP gateway and its WTLS-SSL translation process in a trusted location, within the confines of the same organization that is providing the secure Web applications. Using this setup, users are typically dialing directly from their wireless devices, through their service provider’s public switched telephone network (PSTN), and into the business’ own remote access servers (RAS). Once they reach the RAS, the transmission continues onto the WAP gateway, and then onward to the application or Web server, all of these devices within the business host’s own secure environment.

Although it provides better end-to-end security, the drawback to this approach is that the business host will need to set up banks of modems and RAS so users have enough access points to dial in. The business also will need to reconfigure the users’ cell phones and PDAs to point directly to the business’ own WAP gateway instead of (typically) to the service provider’s. However, not all cell phones allow this reconfiguration by the user. Furthermore, some cell phones can point to only one WAP gateway, while others are fortunate enough to point to more than one. In either case, individually reconfiguring all those wireless devices to point to the business’ own WAP gateway may take significant time and effort.

FIGURE 3.2 WAP gateway at the host.

Remote Access Server

WAP Gateway

Application Server

Web Server ISP Network Modem

Mobile User

Base Station

Business Host's Secure Environment Service Provider's

Secure Environment

Firewall PSTN/ISDN

Internet

For users whose cell phones can point to only a single WAP gateway, this reconfiguration introduces yet another issue. If these users now want to access other WAP sites across the Internet, they still must go through the business host’s WAP gateway first. If the host allows outgoing traffic to the Internet, the host then becomes an Internet service provider (ISP) to these users who are newly configured to point to the host’s own WAP gateway. Acting as a makeshift ISP, the host will inevitably need to attend to service- and user-related issues, which too many businesses can be an unwanted burden because of the significant resources required.

3.6.2.3 Pass-Through from Service Provider’s WAP Gateway to Host’s WAP Proxy

For businesses that want to provide secure end-to-end encrypted transactions and to avoid the administrative headaches of setting up their own WAP gateways, there are other approaches. One such approach, as shown in Figure 3.3, is to keep the WTLS-encrypted data unchanged as it goes from the user’s mobile device and through the service provider’s WAP gateway. The WTLS-SSL encryption translation will not occur until the encrypted data reaches a second WAP gateway-like device residing within the business host’s own secure network. One vendor developing such a solution is Openwave Systems (a combination of Phone.com and Software.com).

Openwave calls this second WAP gateway-like device the Secure Enterprise Proxy.

During an encrypted session, the service provider’s WAP gateway and the business’

Secure Enterprise Proxy negotiate with each other, so that the service provider essentially passes the encrypted data unchanged to the business that is using this FIGURE 3.3 Pass-through from service provider’s WAP gateway to host’s WAP proxy.

Remote

proxy. This solution utilizes the service provider’s WAP gateway because it is still needed to provide proper Internet access for the mobile users, but it does not perform the WTLS-SSL encryption translation there and thus is not exposing confidential data. The decryption is passed on and occurs instead within the confines of the business’ own secure network, either at the Secure Enterprise Proxy or at the application server.

One drawback to this approach, however, is its proprietary nature. At the time of this writing, to make the Openwave solution work, three parties would need to implement components exclusively from Openwave. The wireless service providers would need to use Openwave’s latest WAP gateway. Likewise, the business hosting the secure applications would need to use Openwave’s Secure Enterprise Proxy to negotiate the encryption pass-through with that gateway. In addition, the mobile devices themselves would need to use Openwave’s latest Web browser, at least Micro Browser version 5. Although approximately 70 percent of WAP-enabled phones throughout the world are using some version of Openwave Micro Browser, most of these phones are using either version 3 or 4. Unfortunately, most of these existing browsers are not upgradable by the user, so most users may need to buy new cell phones to incorporate this solution. It may take some time before this solution comes to fruition and becomes popular.

These are not the only solutions for providing end-to-end encryption for wireless Internet devices. Other methods in the works include applying encryption at the applications level, adding encryption keys and algorithms to cell phone SIM cards, and adding stronger encryption techniques to the next revisions of the WAP speci-fications, perhaps eliminating the “gap in WAP” entirely.

3.7 CONCLUSION

Two sound recommendations for the many practitioners in the information security profession are:

1. Stay abreast of wireless security issues and solutions.

2. Do not ignore wireless devices.

Many in the IT and information security professions regard the new wireless Internet devices diminutively as personal gadgets or executive toys. Many are so busy grappling with the issues of protecting their corporate PCs, servers, and net-works that they cannot imagine worrying about yet another class of devices. Many corporate security policies make no mention of securing mobile handheld devices and cell phones, although some of these same corporations are already using these devices to access their own internal e-mail. The common fallacy is that these they can cause no harm.

Security departments have had to wrestle with the migration of information assets from the mainframe world to distributed PC computing. Many corporate attitudes have had to change during that evolution regarding where to apply security.

With no exaggeration, corporate computing is undergoing yet another significant phase of migration. It is not so much that corporate information assets can be

accessed through wireless means, because wireless notebook computers have been doing that for years; rather, the means of access will become ever cheaper and, hence, greater in volume. Instead of using a $3000 notebook computer, users (or intruders) can now tap into a sensitive corporate network from anywhere, using just a $40 Internet-enabled cell phone. Over time, these mobile devices will have increas-ing processincreas-ing power, memory, bandwidth, storage, ease of use, and popularity. It is this last item that will inevitably draw upon corporate resources.

Small as these devices may be, once they access the sensitive assets of an organization, they can do as much good or harm as any other computer. Ignoring or disallowing these devices from an information security perspective has two probable consequences:

1. The business units or executives within the organization will push, often successfully, to deploy wireless devices and services anyway, shutting out any involvement or guidance from the information security department.

Inevitably, information security will be involved at a much later date, but reactively and often too late to have a significant impact on proper design and planning.

2. By ignoring wireless devices and their capabilities, the information secu-rity department will give attackers just what they need: a neglected and unprotected window into an otherwise fortified environment. Such an organization will be caught unprepared when an attack using wireless devices surfaces.

Wireless devices should not be treated as mere gadgets or annoyances. Once they tap into the valued assets of an organization, they are indiscriminate and equal to any other node on the network. To stay truly informed and prepared, information security practitioners should stay abreast of the new developments and security issues regarding wireless technology. In addition, they need to work with the application designers as an alliance to ensure that applications designed for wireless take into consideration the many points discussed in this chapter. And finally, organizations need to expand the categories of devices protected under their information security policies to include wireless devices, because they are in effect yet another infra-structure component of the organization.

Bibliography

Appleby, T.P., WAP — the wireless application protocol, White paper, Global Integrity.

Blake, R., Wireless Communication Technology, Delmar Thomson Learning, 2001.

Certicom, Complete WAP Security from Certicom, http://www.certicom.com.

CMP Media, Wireless devices present new security challenges — growth in wireless Internet access means handhelds will be targets of more attacks, October 21, 2000.

DeJesus, E.X., Wireless devices are flooding the airwaves with millions of bits of information.

Securing those transmissions is the next challenge facing E-commerce, White paper, http://www.infosecuritymag.com, October 2000.

Harte, L. et al., Cellular and PCS: The Big Picture, McGraw-Hill, New York, 1997.

Howell, R. et al., Professional WAP, Wrox Press Ltd., Birmingham, 2000.

Izarek, S., Next-gen cell phones could be targets for viruses, http://www.foxnews.com, June 1, 2000.

Muller, N.J., Desktop Encyclopedia of Telecommunications, 2nd ed., McGraw-Hill, New York, 2000.

Nobel, C., Phone.com plugs WAP security hole, eWEEK, September 25, 2000.

Nokia, Secure Corporate WAP services: Nokia Activ Server, White paper, http://www.nokia.

com.

Radding, A., Crossing the wireless security gap, http://www.computerworld.com, January 1, 2001.

Saarinen, M.-J., Attacks against the WAP WTLS Protocol, University of Jvyskyl, Finland.

Saita, A., Case study: securing thin air, academia seeks better security solutions for handheld wireless devices, http://www.infosecuritymag.com, April 2001.

Schwartz, E., Two-zone wireless security system creates a big hole in your communications, http://www.infoworld.com, November 6, 2000.

Tulloch, M., Microsoft Encyclopedia of Networking, Microsoft Press, Redmond, WA, 2000.

Unstrung.com, Does Java solve worldwide WAP wait?, http://www.unstrung.com, April 9, 2001.

Van der Heijden, M. and Taylor, M., Understanding WAP: Wireless Applications, Devices, and Services, Artech House Publishers, 2000.

Part II