Gateway Services Security

Any system granting access to clients should include a separate method for authenticating the user. MAC addresses can be spoofed. The gateway may provide its own authentication service, or act as a proxy for a remote authentication service available elsewhere on the network.

Various authentication services can serve this function, including RADIUS and Windows Active Directory. Using an underlying operating system’s authentication may allow the user to log in to both the network and a machine with a single sign-in. 802.1x proposes this approach.

A “captive portal” directs every http request from a not yet authenticated user to the authentication service (and blocks all other types of requests). There are situations where wireless clients are not capable of performing a standard authentication behavior. Sensors on a shop floor or in a wireless automotive network might be examples.

In these cases, with very limited privileges, statically assigned access may be justified. But the security implications must be carefully considered and strong encryption should be used. Roaming is another issue that gateways can address.

Roaming users may move out of range of their current access point and into range of several alternative access points. Handover delays may affect streaming applications like Voice-over-IP (VoIP) and video. Secure access points might require the user to be re-authenticated, while gateways offer other options.

The 802.11 Fast Roaming Study Group and 802.21 working group are looking for standard ways to address roaming, as is a partnership among Proxim, Avaya, and Motorola. WAP devices use WTLS instead of SSL, due to the assumed WAP client’s resource constraints.

The basic WAP configuration involves a WAP gateway that translates between the various WAP protocols and the corresponding Internet protocols. The WAP gateway translates between WTLS and SSL by decrypting the message as it comes in and then re-encrypting it in the other protocol before passing it on.

Decrypting the message in the WAP gateway is only one of many WTLS vulnerabilities. Better security can be achieved by using an encryption protocol in the layer above WTLS/SSL that works directly between the client and server endpoints. PKI-based encryption is the logical candidate for end-to-end encryption, e.g., for M-Commerce applications.

But PKI (Public Key Infrastructure) is resource intensive. The special processing could be handled by a SIM (Subscriber Identification Module) or WIM (WAP Identity Module) smartcard, but smartcards add cost to small devices.

Research is currently underway to use a remote server to perform the heavy processing part of the RSA/ECC algorithm implementation, while still holding all key parameters in secrecy by the client.

Resource overhead for even basic internet connectivity can be an issue for very small devices, such as those imagined for wearable and ubiquitous computing. A special class of gateway, called personal mobile gateway (PMG), has WAN capability (e.g., GSM/GPRS) and shares it with other little devices with PAN connectivity (i.e., Bluetooth, 802.11, 802.15).

The delegation can be general, or specific to the type of applications needed (SMS [Smart Messaging System], voice, digital photos, video, etc.) Security issues at this level are beyond the scope of this discussion. Government wireless installations are required to meet the National Institute of Standards and Technology Federal Information Processing Standard NIST FIPS 140-2 standard for cryptographic modules.

RADIUS does not meet this standard. For such applications a FIPS 140-2 compliant gateway and corresponding authentication server software must be used. The physical vulnerability of gateways in unattended locations may also need to be addressed.

By encasing the gateway’s circuitry in a special hardened plastic security potting resin, any attempt at physical tampering will be easily recognized. In any discussion of security and gateways the limitations of gateways must be emphasized. Gateways form part of a perimeter defense for wired networks.

They do not solve the vulnerability of any network to insiders with malicious intent. In addition, while the gateway strategy addresses the threat to the network from malicious wireless devices, it doesn’t protect wireless devices from malicious access points.