Posts: 5,362
Threads: 2,998
Joined: Feb 2011
[attachment=11312]
INTRODUCTION
Wireless Wide Area Networks (WAN) are a popular method of wirelessly accessing data over the Internet. A major concern for many corporate users of wireless WANs is data security and how to protect data that is transmitted over these wireless networks.
All computer systems and communications channels face security threats that can Compromise systems, the services provided by the systems, and/or the data stored on or Transmitted between systems. The most common threats are:
• Denial-of-service
• Interception
• Manipulation
• Masquerading
• Repudiation
Denial-Of-Service (DOS) occurs when an adversary causes a system or a network to become unavailable to legitimate users or causes services to be interrupted or delayed. Consequences can range from a measurable reduction in performance to the complete failure of the system. A wireless example would be using an external signal to jam the wireless channel. There is little that can be done to keep a serious adversary from mounting a denial of service attack.
Interception has more than one meaning. A user’s identity can be intercepted leading to a later instance of masquerading as a legitimate user or a data stream can be intercepted and decrypted for the purpose of disclosing otherwise private information. In either case, the adversary is attacking the confidentiality or privacy of the information that is intercepted. An example would be eavesdropping and capturing the wireless interchanges between a wireless device and the network access point. Since wireless systems use the radio band for transmission, all transmissions can be readily intercepted. Therefore, some form of strong authentication and encryption is necessary in order to keep the contents of intercepted signals from being disclosed.
Manipulation means that data has been inserted, deleted, or otherwise modified on a system or during transmission. This is an attack on the integrity of either the data transmission or on the data stored on a system. An example would be the insertion of a Trojan program or virus on a user device or into the network. Protection of access to the network and its attached systems is one means of avoiding manipulation.
Masquerading refers to the act of an adversary posing as a legitimate user in order to gain access to a wireless network or a system served by the network. For example, a user with inappropriate access to a valid network authenticator could access the network and perform unacceptable functions (e.g., break into a server and plant malicious code, etc.). Strong authentication is required to avoid masquerade attacks. Repudiation is when a user denies having performed an action on the network. Users might deny having sent a particular message or deny accessing the network and performing some action. Strong authentication of users, integrity assurance methods, and digital signatures can minimize the possibility of repudiation.
There are many features of these wireless networks, which provide user and data security. This paper discusses the security features for CDPD, CDMA, and GPRS networks, as well as an introduction to virtual private networks (VPN) and how these applications can be used to enhance the overall security of data on wireless networks.
For each of the technologies presented in this paper, a brief Overview of the wireless network is given, followed by a discussion of each of the features of that network that contribute to the overall security of the network.
Chapter 1
Cellular Digital Packet Data (CDPD)
1.1 INTRODUCTION:
CDPD is a secure, proven, and reliable protocol that has been used for several years by law enforcement, public safety, and mobile professionals to securely access critical, private information. CDPD has several features to enhance the security of the mobile end user’s data and these are discussed below.
1.2 HISTORY OF CDPD:
Based on AMPS (Advanced Phone System) invented by Bell labs, CDPD is developing. We could say, without AMPS, we do not need to mention CDPD. In 1991, CDPD patents were filed by 3 IBMers (Miller, Moore, Pate, IBM Boca Raton). In 1992 North American companies, AT&T, MGcaw, BAM, SW Bell, North Telecom, Ameritech provided 1000,000us$ each as a fund to process a offer packet data service. In 1993, the first version of standard of CDPD came into view. In 1994, in America, the first CDPD experimental network run. The second season same year, the telecommunication giants, wireless and radio branch of AT&T announced they were founding on plan of CDPD service which is totally customized in United States and also covered the whole area at as soon as possible. Following that, most American countries select CDPD to offer packet data service.
The CDPD Forum was founded in April 1994 to provide a more structured way for companies involved in CDPD to work together. The CDPD Forum was responsible for the CDPD standardization specification release. The forum did contribute a lot for the development of CDPD, especially the compatibility between different manufactures. According the statistical records from the CDPD forum, there are about 50 metropolitans areas in America providing this service by the top 39 biggest operators, totally about 21 manufactures have signed alliance of CDPD with agreements of promising to provide compatible equipment.
With significant needs of the wireless data business, a more international organization, Wireless Data Forum was born. It is dedicated to promoting the benefits of wireless data to end user communities, the telecommunications industry, the media, and the information technology industry. Wireless Data Forum takes place of CDPD Forum, which embraces all wireless data technologies, related matters, and a wider variety of members.
1.3 OPERATION OF CDPD:
A brief overview of the operation of the CDPD network is as follows:
A wireless modem (or Mobile End System—M-ES) communicates by radio with the Mobile Data Base Station (MDBS). The MDBS transfers this data by landline and microwave to the Mobile Data Intermediate Systems (MD-IS), which processes and sends the information, by Intermediate System gateways (routers), to the appropriate destination.
The modem refers to the wireless modem in the CDPD network. The MDBS is the cellular tower serving a specific geographical area. The MD-IS is a computer device that serves as the control point for CDPD in a specific region (usually covering several MDBSs).
1.4 CDPD NETWORK COMPONENTS:
CDPD operates as an overlay on top of the AMPS network. Thus for implementing the CDPD, only 4 main subsystems in the CDPD network, ES, MDBS, MD-IS, and IS are needed. The CDPD backbone network is Fig.1.3
1.4.1 MDBS (Mobile Data Base Station)
Mobile Data Base Station, it connects internet to M-ES. So we can say it provides function of relaying. It is responsible for air interface control, radio frequency management and automatic radio hopping. From logic point of view, a MDBS connects many M-ES on a particular channel on a given time, which is called Channel Stream. It is a point to multi-points connection. Within each cell, a Channel Stream is uniquely identified by the Channel Stream Identifier (CSI). Here, we need to talk the up-link and down-link. CDPD is full duplex, so it can support two directions at the same time. On down page link channels, the MDBS sends the data to all M-ES listening on the channels. However, on up page link channels, the MDBS can serve for several M-ES depending on the data traffic and QOS specified.
1.4.2 A Interface - Air Interface
The interface between the Mobile End Station and cell site equipment MDBS. In general, it is possible to adopt the system capacity, also it is possible put more components as system capacity needs to be enlarged. Also it provides the function of wireless diversity in order to improve the Radio Reception. I think this is quite same as the GSM system and TACS system which also use the diversity for compensating the Raleigh Fading. And this tricky is also chosen by the other data service based GSM system. So compared with them, in this sense, CDPD does not have advantages.
1.4.3 MDIS (Mobile Date Intermediate System)
It uses the powerful computers and internetworking technology to deal with requests from the CDPD network also connected with other MDIS. It includes two functional parts of Packet Server and Admin Server. The Admin Server can select the Centralized Control or Decentralized Control , it is up to the operator. So we can say it is very flexible. This is also one reason that can be attractive to the operators implementing this service. In the Decentralized Control, Admin Server and Packet Server are controlled by their own processes automatically, using the twice-backing up (in certain countries called redundant equipment. Most new coming technicians just think this will provide reliability, actually they only answer one point of the question. It also can offer the capability of service un-interruption during the update of the Software. Now in general, the Admin Server and Packet Server are based the foundation of the TCP/IP or OSI reference model.
MDIS controls the MDBS using high speed of 64kbps dedicated channel, the geographical factor of the each cell will be used to decide which MDIS it belongs to. All these are quite like the GSM system, except CDPD does not have some elements which can match the BSC. In the GSM system, the BSC will care the radio exchange, setting up the radio channels for the traffic and for signaling to MSC. In CDPD, it integrates this function to the MDIS whose function can partially match the MSC in the GSM system. It results in bringing more load to the MDIS and also it is not easy to use same concept like the LAI which we can be found in the GSM system. Some books do not agree there are MSC typed elements existing in the CDPD, but in my opinion I think the MDIS should take same responsibility as MSC in the GSM system. MDBS hold the role between the M-ES and MDIS. MDIS is the only network element which knows the M-ES mobility in the system, it means MDIS uses a specific protocol-MNLP to exchange the location information in order to find the accurate location of the M-ES in the network.
