1. Gateways are devices that control the flow of traffic into or out of a network. Although definitions differ, for this context a gateway can be thought of as a device that passes packets between subnets (real or virtual), and performs operations above OSI layer 3 (session, flow control, protocol conversion, and application specific). Gateways can also be the source of vulnerabilities. Gateways are important to wireless networks and mobile wireless devices for several reasons:
Wireless networks do not afford the same physical levels of security as wired networks. Due to resource constraints, mobile wireless devices are themselves often less secure than wired devices. Wireless security gateways can protect a wired network from untrusted wireless hosts. Unlike firewalls, for which hosts are either “inside the firewall” or “outside the firewall,” the distinction between inside and outside is somewhat blurred for mobile wireless devices. A company’s trusted workers may need “inside” kinds of connectivity while using wireless devices. Conversely, visitors may need “outside” kinds of connectivity while connecting to the company’s wired network through an access point inside the corporate firewall. Wireless security gateways address these issues by performing two-way authentication and limiting access privileges on a per-device basis.
2. Mobile wireless devices often have limited resources that cannot support the same protocols as wired devices. They may therefore use resource-sharing protocols which must be translated in a protocol gateway to enable interaction with standard Internet protocol services. For example, a WAP gateway translates protocols in the WAP suite, including WML (HTML), WML Script (CGI), WBMP (BMP), WBXML (XML), WSP (HTTP), WTP (TCP/IP), WTLS (SSL), and WDP (UDP).
These kinds of translation pose security issues both because the wireless protocols are often less secure than the corresponding wired protocols, and because, in translation, encrypted data takes an unencrypted form inside the gateway.
Wireless devices often exist on subnets that do not support the full Internet addressing scheme. For example devices may use IP addresses reserved for local access only, or otherwise not support all of the capabilities needed for WAN access. Gateways can provide a bridge between these local subnets and a broader WAN, (i.e., Internet). Common SOHO wireless switches provide NAT to allow local devices to all access the Internet using a single IP address. Similarly, a Personal Mobile Gateway with WAN connectivity like GSM/GPRS can allow Bluetooth, 802.11, or 802.15 devices on a PAN to have full Internet connectivity.
The fact that devices behind a NAT gateway do not have unique IP addresses has implications for some security strategies (i.e., IPSEC-AH).
Mobile wireless devices may be involved in various sorts of commerce, such as M-commerce and downloading multimedia streams with digital rights.
Depending on how you look at it, where conflicting privacy and ownership interests come into play, “trusted gateways” can bridge the no man’s land, or encapsulate the overlap as a trusted third party. This space is an area of active research and is, as yet, not as well defined as the other gateway functions. Issues here are closely tied to digital rights management. See for example the Shibboleth project.
The Internet was built on “transparency” and the “end-to-end principle”. Roughly stated, transparency “refers to the original Internet concept of a single universal logical addressing scheme, and the mechanisms by which packets may flow from source to destination essentially unaltered.” The end-to-end principle holds that functions of data transmission other than transport, such as data integrity and security, are best left to the transmission endpoints, themselves. This allows applications to be ignorant of the transport mechanisms, and transport systems to be ignorant of the data being transported. Gateways, by their nature, violate one or both of these principles.
3.Gateway deployment strategies
At the basic network level, gateways are viewed as servers or end-systems. But gateways create their own overlay networks and may be involved in ISO level 2 and level 3 routing. The use of gateways can greatly complicate problems of network management. Their deployment should be carefully considered within a comprehensive network coverage and security strategy.
The main reason for using a wireless security gateway is that intruders may gain access through an insecure wireless access point and mount an attack on the internal network.
802.11b, Bluetooth, and WAP are all potentially insecure. Access points with stronger security are possible using Cisco or 802.1x protocols. Typically, a large site or campus, will need many access points for good coverage. The cost of numerous high-end access points and the problem of managing them, especially when they are not all from the same vendor, is a major concern. A common strategy is to use simple (“thin”) access points and put one or more security gateways between all wireless access points and the wired network. Then even if anyone can establish a connection to an access point, they will be challenged at the gateway. The gateway might use IPSEC, VPN, and/or LDAP encryption and authentication.
Several strategies are available to ensure that access points connect only to a gateway.
Access points could be physically wired on a separate subnet where gateways provide the only bridge to the main wired network. Over a large area, the need to maintain two wired networks, one for access points, may be impractical. Multiple smaller networks can be used, each with its own gateway. Multiple gateways can share a common, central management tool – like CA or HP OpenView. They may also be arranged in master/slave relationships, i.e., for configuration and fail-over. Another alternative is to use access points that VPN tunnel to a single gateway, using the regular wired network as the transport medium.
Gateways can grant different users different levels of trust. The easiest way to set this up is to differentiate users by their IP address, and grant different levels of service (i.e., bandwidth) and different kinds of access (i.e., specific protocols like ftp and http, and specific destination hosts) using ISO level 2 (IP address) and level 3 (protocol type) filtering. Access classes can be grouped by role, and identified by predefined ranges of IP address.