Welcome!

Cloud Security Authors: Liz McMillan, Pat Romanski, Elizabeth White, Yeshim Deniz, Terry Ray

Related Topics: Mobile IoT, Cloud Security

Mobile IoT: Article

Security Protocols: the Wireline Incumbent and the Wireless Challenger

Security Protocols: the Wireline Incumbent and the Wireless Challenger

Lack of security remains a stumbling block for large enterprises and service providers that want to launch corporate wireless services. The WTLS protocol is built specifically for wireless communication, and its deployment is picking up.

Wireless technology is finally mature enough to be useful in corporate data applications. One of the reasons for this is the public high-speed wireless networks emerging in metropolitan areas, enabling traveling employees to access corporate data just as easily as if they were at the office. When combined with the commercial rollout of public GPRS services and new, high-capacity wireless devices, the foundation is in place for the successful rollout of corporate wireless data services.

However, large enterprises and service providers have, for the most part, been unable to adequately launch their corporate wireless services. One major obstacle has undoubtedly been the lack of security. Communicating sensitive data in a public wireless environment requires a security framework strong enough to resist any unauthorized access to corporate data or the corporate network, while providing convenient access for end users.

The lack of convenience in combination with relatively poor wireless transmission performance is another issue that further prevents a successful commercial rollout. There is clearly a demand for new wireless solutions that address security issues without sacrificing the user experience.

So far, a majority of security solutions, such as VPNs (virtual private networks), have relied upon the traditional security protocol IPSec, which is designed for the wireline world. These types of solutions work well when connected over cables and phone lines, but when using a wireless link, IPSec begins to show its faults.

Fortunately, an alternative exists that is built for optimal performance in wireless communications, while addressing common shortcomings associated with IPSec. This wireless- optimized protocol is called Wireless Transport Layer Security (WTLS). WTLS is a wireless adaptation of the TLS protocol and is used in millions of mobile devices to secure wireless data communication. WTLS is beginning to be introduced to enterprises by Symbol Technologies and Diversinet.

One of the main differences between IPSec and WTLS is their position in the protocol stack. IPSec is applied at the network level, making IPSec dependent on the IP address of the connecting host. WTLS, on the other hand, is applied at the session level, enabling independence of IP addresses and network standards.

This article will make a brief comparison between the two protocols, and investigate how they affect both users and administrators regarding security, performance, and convenience.

Security Throughout
The most important function in a VPN is security. A wireless VPN must provide at least the same level of security as traditional wireline VPNs. Sensitive data is transmitted over public, insecure networks, which are fully accessible by third parties. Enterprise VPN solutions rely on their security mechanisms to provide privacy, data integrity, and authentication. If any of these mechanisms fail, the VPN is vulnerable to attacks.

WTLS can be used to enforce strong end-to-end security on an application-to-application level, which means that encryption is maintained past any corporate firewall or gateway all the way to the application if needed. When end-to-end security is not required, WTLS encryption can be terminated in a border gateway, as is normally the case with IP VPN solutions.

IPSec is unable to maintain encryption past ordinary firewalls, gateways, and Network Address Translators (NATs) without implementing a large-scale network upgrade. This is due to the fact that traditional NAT servers expect transport-level information rather than IPSec headers following the IP header. The so-called "NAT problem" has been attracting a lot of attention within the Internet Engineering Task Force (IETF) community; however, at this time there are no standardized solutions at hand.

The Convenience of a Trustworthy Connection
Intermittent connectivity is, unfortunately, a characteristic closely related to wireless communication. Connections fluctuate, bouncing up and down due to bad radio coverage, shortage of radio resources, or interference. One of the design goals of the WTLS standard was to address these issues by implementing mechanisms to quickly reestablish a session after a network failure. The result, called Session Resume, allows for a very fast VPN reconnection without any user interaction.

The user does not have to go through any extra logon or authentication procedures, eliminating frustrations associated with repetitive reauthentication when connections are lost. A complementary feature enabled by WTLS is called Transaction Recovery, which allows a data transfer to automatically pick up from where it was interrupted. Thus, from a user's point of view, any loss of signal coverage will at most pause a user's transmissions, while the secure connection is reestablished automatically.

Due to IPSec's lack of Session Resume, a device using IPSec technology cannot pick up a lost connection nor continue a download after a session interruption.

Transmission Performance
To optimize transmission, many technologies use speed mechanisms such as compression and data reduction. When dealing with security and encryption, data has to be compressed before it is encrypted, in order to realize any appreciable file-size reduction from the compression. A WTLS-based solution would follow this method; thus the compression ratios are very high. An IPSec-based solution can compress data before encryption, but only on a packet-by-packet basis.

What is common for all types of compression algorithms is the fact that compressing encrypted data has no effect since the algorithms take advantage of structures in the data, something good encryption removes completely. Because of this, it is vital to compress data before encryption if the data compression is to be effective. At the session level, when utilizing a WTLS-based solution, compression and data reduction are performed close to the application layer, ensuring high compression ratios.

Data reduction is another effective way of increasing wireless performance. Protocol optimizations implemented at the session layer, such as binary encoding and caching, reduce latency as well as the amount of data sent between the communicating peers. These features are enabled through WTLS at the session level, and serve to improve perceived transmission speed, an important factor in today's narrowband wireless environment

Validation for WTLS
WTLS is finding its way into the wireless marketplace as security companies begin to recognize the need for a security protocol built specifically for wireless communication. Several companies, including Symbol Technologies and Diversinet, have chosen to deploy or work with technology built upon WTLS over the traditional IPSec-based solutions available. WTLS delivers security throughout the transmission, the convenience of a wireless connection that a user can actually trust, and boosted performance. Given these factors, WTLS emerges as an important addition to the checklist for those seeking to deploy secure, trustworthy wireless technologies.

SIDEBAR

Swedish Parliament Embraces Secure Wireless Communications
It's no surprise that government institutions and services aim for deploying front-end wireless technologies. Sweden has often been seen as a pioneer in IT development, as vendors emerge from obscurity, delivering a wide range of wireless products and services. Last year, the Parliament of Sweden (Sveriges Riksdag) started a project with the objective to provide all 349 delegates with wireless access to mission-critical information.

Delegates of the Swedish Parliament use three main locations for conducting their work: the Parliament's premises in downtown Stockholm; their personal offices; and their local offices/homes in their election districts. At all three locations, the delegates depend on access to the internal infrastructure at the Parliament to participate in debates, voting, and decisions. When delegates are physically located at any of those three premises, remote access is not an issue.

A wired encrypted line between the Parliament's network and the delegates' clients is a simple task to deploy and maintain since there are numerous solutions available today to deliver secure remote access. Further, delegates spend a lot of time in transfer between different sites, and demand a wireless connection when waiting for the train, a flight, or even when traveling on the train, in the cab, or on the bus to meet voters around town.

Therefore, Parliament required a very robust solution - one that consisted of three elements. It is an application developed by the IT department at the Parliament - a Lotus Domino Everyplace Access Server from IBM connected to the Parliament's information infrastructure and Columbitech's Wireless Suite to secure the connection. With Columbitech's component, security is highly prioritized and all data traffic is encrypted to guarantee that there's no unauthorized access.

Columbitech has also delivered a configuration service that the Parliament has integrated into their Lotus Notes administration, which enables the IT department to configure all mobile devices by sending one short message service (SMS) with all the necessary details for new configurations.

From the delegates' perspective, main concerns include user convenience and connection reliability. The user interface should be simple so anyone with average computer skills can easily use the solution with brief training. Logins should be held to a minimum, no more than two logins or one single-time password login. There are solutions providing answers to the users' concerns, but at the end of the day it is the opinion of the IT department that will decide which solution to deploy.

Security is the main concern for the IT department, especially when it comes to governmental services where the nation's security as well as the individual's integrity is at stake. To meet those demands, the wireless security protocol WTLS was deployed. WTLS can be used to enforce strong end-to-end security on an application-to-application level, which means that encryption is maintained past any corporate firewall or gateway all the way to the application if needed.

If end-to-end security is not required, WTLS encryption can be terminated in a border gateway. There are three parameters that demand protection; the client, the internal network, and the data communication between the two. The client can be protected through a one-time password, encrypted hard drives, and, in the future, biometric authentication through fingerprints or eye scanning.

The internal network is protected through firewalls and smart infrastructure, effectively eliminating security holes including unprotected wireless LANs. The data communication can be secured by tunneling strongly encrypted data from the corporate firewall all the way to the client where the data is decrypted.

The Swedish Parliament was aware of the requirements of an effective wireless solution, and the many obstacles to overcome in deploying a comprehensive, flexible, and mature solution. With this successful implementation, it is clear that the potential for government agencies to embrace wireless technology is the next logical step.

More Stories By Pontus Bergdahl

Pontus Bergdahl is founder and CEO of Columbitech. He is responsible for the strategic and tactical direction of the company, along with overseeing development of the company's products. Pontus holds an MBA with a concentration in marketing from INSEAD in Paris, France and an MS in industrial engineering from Chalmers University of Technology in Gothenburg, Sweden.

Comments (0)

Share your thoughts on this story.

Add your comment
You must be signed in to add a comment. Sign-in | Register

In accordance with our Comment Policy, we encourage comments that are on topic, relevant and to-the-point. We will remove comments that include profanity, personal attacks, racial slurs, threats of violence, or other inappropriate material that violates our Terms and Conditions, and will block users who make repeated violations. We ask all readers to expect diversity of opinion and to treat one another with dignity and respect.


IoT & Smart Cities Stories
DXWorldEXPO | CloudEXPO are the world's most influential, independent events where Cloud Computing was coined and where technology buyers and vendors meet to experience and discuss the big picture of Digital Transformation and all of the strategies, tactics, and tools they need to realize their goals. Sponsors of DXWorldEXPO | CloudEXPO benefit from unmatched branding, profile building and lead generation opportunities.
In this Women in Technology Power Panel at 15th Cloud Expo, moderated by Anne Plese, Senior Consultant, Cloud Product Marketing at Verizon Enterprise, Esmeralda Swartz, CMO at MetraTech; Evelyn de Souza, Data Privacy and Compliance Strategy Leader at Cisco Systems; Seema Jethani, Director of Product Management at Basho Technologies; Victoria Livschitz, CEO of Qubell Inc.; Anne Hungate, Senior Director of Software Quality at DIRECTV, discussed what path they took to find their spot within the tec...
The deluge of IoT sensor data collected from connected devices and the powerful AI required to make that data actionable are giving rise to a hybrid ecosystem in which cloud, on-prem and edge processes become interweaved. Attendees will learn how emerging composable infrastructure solutions deliver the adaptive architecture needed to manage this new data reality. Machine learning algorithms can better anticipate data storms and automate resources to support surges, including fully scalable GPU-c...
Disruption, Innovation, Artificial Intelligence and Machine Learning, Leadership and Management hear these words all day every day... lofty goals but how do we make it real? Add to that, that simply put, people don't like change. But what if we could implement and utilize these enterprise tools in a fast and "Non-Disruptive" way, enabling us to glean insights about our business, identify and reduce exposure, risk and liability, and secure business continuity?
Nicolas Fierro is CEO of MIMIR Blockchain Solutions. He is a programmer, technologist, and operations dev who has worked with Ethereum and blockchain since 2014. His knowledge in blockchain dates to when he performed dev ops services to the Ethereum Foundation as one the privileged few developers to work with the original core team in Switzerland.
DXWorldEXPO LLC announced today that Telecom Reseller has been named "Media Sponsor" of CloudEXPO | DXWorldEXPO 2018 New York, which will take place on November 11-13, 2018 in New York City, NY. Telecom Reseller reports on Unified Communications, UCaaS, BPaaS for enterprise and SMBs. They report extensively on both customer premises based solutions such as IP-PBX as well as cloud based and hosted platforms.
"Akvelon is a software development company and we also provide consultancy services to folks who are looking to scale or accelerate their engineering roadmaps," explained Jeremiah Mothersell, Marketing Manager at Akvelon, in this SYS-CON.tv interview at 21st Cloud Expo, held Oct 31 – Nov 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA.
"Space Monkey by Vivent Smart Home is a product that is a distributed cloud-based edge storage network. Vivent Smart Home, our parent company, is a smart home provider that places a lot of hard drives across homes in North America," explained JT Olds, Director of Engineering, and Brandon Crowfeather, Product Manager, at Vivint Smart Home, in this SYS-CON.tv interview at @ThingsExpo, held Oct 31 – Nov 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA.
DXWordEXPO New York 2018, colocated with CloudEXPO New York 2018 will be held November 11-13, 2018, in New York City and will bring together Cloud Computing, FinTech and Blockchain, Digital Transformation, Big Data, Internet of Things, DevOps, AI, Machine Learning and WebRTC to one location.
The current age of digital transformation means that IT organizations must adapt their toolset to cover all digital experiences, beyond just the end users’. Today’s businesses can no longer focus solely on the digital interactions they manage with employees or customers; they must now contend with non-traditional factors. Whether it's the power of brand to make or break a company, the need to monitor across all locations 24/7, or the ability to proactively resolve issues, companies must adapt to...