> -----Original Message-----
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED]]
> Sent: Tuesday, 8 August 2000 4:57 AM
> To: Jane Ferreira Cunha; [EMAIL PROTECTED]
> Subject: Re: Firewall and WAP?
>
>
>
> Jane,
>
> #Here in Brazil we are beginning to talk seriously about WAP, and, of
> course, how to keep this
> #kind of traffic secure. I'd like to know if any of you have
> any experience
> in that ground. Is there
> #a specific firewall for WAP? Please, if you have any kind of
> recommendations (products, guidelines),
> #I would be grateful.
You appear to be a wireless network service provider - you should know about
this stuff already. However, I'd look at it this way:
While in the wireless cloud, the client is protected by the option to use
WTLS which is part of the WAP stack.
At the border of the wireless cloud and the LAN, the WAP gateway is really
just a proxy server. You'll buy a WAP gateway from somebody that develops
such things.
Once out of the WAP gateway the traffic is usually just HTML. Securing HTML
is a "solved" problem (insofar as it's soluble).
If you're talking to a server that supports raw WML stuff then you may need
to check out the latest IANA assignments for the WAP forum ports (here):
http://www.isi.edu/in-notes/iana/assignments/port-numbers
(Firewall implications end here - the rest is offtopic)
>
> Correct me if I am wrong but this is what I found out about
> WAP when I was
> researching its use with Domino Mobile Services.
>
> WAP is a protocol that is usually used (from what I have
> seen) between
> your mobile device (cell phone, pager, ect.) and your
> telephone service's
> network.
Looks right to me. In the whitepaper:
http://www1.wapforum.org/tech/documents/WAP-100-WAPArch-19980430-a.pdf
The WAP gateway is always directly connected to the wireless network.
> So, you would use WAP from your cell phone to the telephone
> providers network then if you wanted to access your Lotus Notes e-mail
> through Domino Mobile Services the rest of the session would
> go from a WAP
> proxy server on the telephone providers network over HTTP to a Domino
> server on your network. WAP uses several forms of cryptography for
> protection.
Looks like it uses "WTLS" which is a variant of TLS, which is based on SSL,
which we all know about. I had a quick glance through the WTLS spec and
there's nothing that stood out as broken - they have implemented EC
Diffie-Hellman for the exchange of the pre-master secret instead of using
RSA (although it's still supported) and have a nice suite of block ciphers.
They actually specifically say that if you want end-to-end security then you
need to have the WAP gateway physically located with the end WWW server. I
figure that you could use a new TLS connection from the WAP gateway/proxy to
the end server, but this does NOT authenticate the client - it also makes
the WAP gateway a possible point of compromise for your confidentiality.
I figure the best way to get end-to-end security for WWW type stuff would be
to _not_ use WTLS and use TLS directly with the end server, and it looks
like the WAP stack supports this.
> I'm pretty sure there are no WAP firewalls or
> WAP proxies for
> firewalls. There could not be an application layer WAP proxy
> on a firewall
> without the firewall having the encryption keys anyway
SSL proxies are real, so there's no reason why a WAP <--> TLS proxy would
not be feasible. You're right though - those proxies don't actually do
anything except relay the stuff back and forth. In theory, a WAP/TLS proxy
could offer some level of protect to the endpoint by doing some "stuff"
without compromising the endpoint security (TLS is designed to protect
against M-i-t-M attacks, so this is not a security issue for the client).
For people that aren't directly connected to the wireless network this all
reduces to a mostly solved WWW/TLS issue though.
> Check out www.wapforum.org for information on how WAP
> works.
Nice link. Here's an alternative point of view:
http://www.4k-associates.com/4K-Associates/IEEE-L7-WAP-BIG.html
>
>
> Regards,
> Jeffery Gieser
>
Cheers,
--
Ben Nagy
Network Consultant, Volante Solutions
PGP Key ID: 0x1A86E304 Mobile: +61 414 411 520
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
