Next: Copyright & Trademark Information Up: The awayWEB Virtual VPN Previous: 9 Internal Architecture Details
WAP is a standard Internet protocol which has been designed to optimise the delivery of web based information to wireless and low-power computing devices, such as mobile phones and PDAs. The awayWEB system supports the WAP specific 'WML' content format used to deliver pages of information to WAP clients. WAP clients can log in to the awayWEB system, using two-factor authentication and their WAP client. Once logged in, users can proceed to access intranet content according to the access-control rules in the gateway.
WAP systems are designed so that client devices must access the general Internet through a WAP gateway server. The gateway server performs various network functions for the WAP device which would otherwise consume too many resources in the client. These services include translation between HTTP and the WAP specific WSP protocol, managing cookies and bookmarks, history and user preferences. The delegation of these functions from the client to the WAP gateway server raises security issues when accessing intranet services through the gateway.
By default, WAP applications enjoy very little security protection from the WAP infrastructure (Figure 7). By employing best practice security techniques, the awayWEB system can greatly improve the end-to-end security of WAP applications (Figure 8).
A specific service provided by the WAP gateway is the translation of WAP specific WTLS encryption into industry standard SSL encryption for access to 'https' protected web content. The WAP gateway has full access to the content of each request - the use of WTLS and SSL encryption does not protect information whilst it is passing through the WAP gateway itself (Shown by the unprotected communications illustrated in the WAP gateway in figure 8).
The WAP gateway should, therefore, be operated by a trusted party if sensitive corporate information is passed through it. An organisation which wishes to use WAP but prefers to avoid installing its own WAP-specific infrastructure should ensure it selects a WAP gateway provider (often the mobile phone service provider) which offers a sufficient level of security assurance.
Certain security issues remain even if the normal operation of the WAP gateway is not compromised - in particular, certain corporate information is likely to be recorded by the WAP gateway, subjecting it to the risk of unauthorised disclosure. These risks are similar to those experienced by browsers in un-trusted environments (and are mitigated in similar ways) except that the exposure is at the WAP gateway, rather than in the client system.
The WAP gateway maintains a history of URLs accessed by each client. This may include information about intranet systems, names of documents and parameters provided to intranet applications. This risk is mitigated by the same awayWEB feature that provides privacy protection in the HTML environment: URL encryption. (See 6.1) Intranet content is modified by the awayWEB gateway so that the details of each link are encrypted and meaningless to the WAP gateway. When the encrypted link is accessed, an authorised user can obtain the appropriate intranet content, but the records of the WAP gateway will show only the encrypted URL information. This minimises the risk of misuse by the WAP gateway operator.
The audit trail recorded by the awayWEB gateway (available only to the awayWEB administrator) shows each full, un-encrypted intranet URL that was actually requested by the client (along with WAP-specific information, such as the WAP subscriber number).
Most WAP clients (such as mobile phones) have very limited memory.
In order to speed up browsing of commonly requested content, the WAP
gateway server usually caches copies of each page requested by the
client. The copies may remain on the WAP gateway for an indefinite
period (often up to 30 days), during which time they may be accessed
either by an intruder or the administrators of the server. WAP applications
can signal to the WAP gateway not to cache such information, but this
involves modifying each application during development to send the
correct signals (HTTP headers). The awayWEB gateway can add the appropriate
cache-control headers to each intranet page before it is sent to the
WAP gateway, without requiring changes to the intranet applications.
The same cache-control mechanism used to provide privacy protection
for HTML browsers (see ![[*]](crossref.png)
) operates at the
WAP gateway.
WAP devices often have very limited functions for data-entry. The use of a mobile phone keypad makes careful design of WAP displays and minimisation of user input very important for usability of WAP applications.
AwayWEB maximises WAP usability in a number of ways:
awayWEB is supplied with a variety of login form templates tuned for specific brands of token card. For example, the RSA SecurID card produces an 'all-numeric' passcode - the awayWEB login page can use this feature to automatically force the phone into 'number entry' mode - this can cut down the required number of user keystrokes by up to 75% during a typical login.
As users usually use the same mobile phone, awayWEB can 'pre-fill' the username field on the phone/PDA with the last username used, saving the need for multiple entry. This can reduce keystrokes by 50% compared to a system which required the username to be completed on each login.
The awayWEB sign on minimisation features (See section 7) are a major benefit to WAP users, who may otherwise need to log in separately to multiple intranet applications.
