ericssonhistory.com

More documents

Recommendations

Info

Figure 9GPRS VPN scenarios.Figure 10The Ericsson WLAN security solution.protocol. IKE is not supported in the currentrelease but will be supported in the nearfuture. The flexible design of the GGSN allowsfor various VPN tunnel options betweenthe GGSN and a corporate network.RADIUS authentication can be handled atthe corporate site. As shown in Figure 9, astatic IPsec connection is set up between theGGSN and a gateway in the corporate network.Alternative locations of RADIUS anddynamic host configuration protocol(DHCP) servers within the external networksare indicated in the figure. Corporatenetwork no. 1 uses RADIUS for authenticatingclients and assigning addresses. Corporatenetwork no. 2 relies on the GSM attachauthentication mechanism and utilizesDHCP to assign client IP addresses. Finally,corporate network no. 3 uses a hybrid approach,in which DHCP manages client IPaddresses, and RADIUS authenticatesclients.The WLAN security productEricsson's WLAN solution provides transparentmobility and security for mobileusers who want to access their company networks.WLAN Guard provides firewall protection,preventing unauthorized access tothe wireless LAN. WLAN Guard also servesas the security link in a wireless network,safeguarding user information over thewireless network and ensuring that unauthorizedmonitoring of the network or intrusiondoes not occur. The WLAN Guardsecurity solution is based on IPsec. Encryption/decryptionand authorization keys arealso employed to provide authentication,automatic security association management,and to protect wireless traffic. The authorizationkeys are compliant with the IKEstandard. The WLAN Guard control databaseretains records of all authorized usersand their required keys (Figure 10).Secure corporate e-mail on the InternetThe Internet standard S/MIME was developedto provide authentication, integrityand confidential services for Internet e-mail.It is also attractive for corporate use, nowthat more and more mobile users need tocommunicate securely with colleagues oncorporate intranets. S/MIME relies on theexistence of a PKI under the control of atrusted CA.S/MIME is fundamentally used for pointto-pointsecurity. Thus, for secure e-mail betweenparties, each party must obtain a digitalcertificate. This requires full PKI de-104 Ericsson Review No. 2, 2000
ployment, which is a complex task. Furthermore,for a mobile user on the Internetto use S/MIME to exchange e-mail withusers on the intranet, the corporate PKIneeds to be accessible from the Internet,which might conflict with corporate securitypolicies.Ericsson Research has designed a flexibleS/MIME-based architecture that employsdomain-to-point security. The solution allowsmobile users to manage corporate e-mail using an untrusted Internet e-mailserver; for example, at an ISP. The solutionrequires minimal PKI deployment, does notaffect the intranet infrastructure, and can beconstructed from standard components(Figure 11).The CA issues digital certificates to mobileusers and to a secure mail gateway(SMG) that implements domain-to-pointsecurity for outgoing and incoming e-mailbetween mobile and corporate users. E-mailfrom the intranet to the mobile user is automaticallysecured with S/MIME by theSMG, using the mobile user's certificate.Similarly, e-mail from the mobile user to auser on the intranet is automatically securedwith S/MIME on the mobile device (usingthe SMG's certificate) and forwarded to theSMG. Upon reception, the SMG restores thee-mail to its original form and forwards itto the intended recipient. An added benefitis that mobile users who do not know eachother's certificate can communicate securelyvia the SMG. This benefit can also be exploitedto distribute certificates.Future trendsThreats and opportunitiesIn the all-IP world, access will be separatedfrom services, and end-users will have a singlesubscription from which they can accessany service on the global Internet. Whilethis openness of access and services will increasethe value of the Internet, it will belike an open door to malicious users, fraudulentservice providers, and deceitful accessnetworks. Denial-of-service attacks mightdisturb IP traffic or destroy services. Threatsof this kind put strong security requirementson roaming, authentication, authorization,operation and management, andbilling. But the openness and service thatcan be furnished will also give operators andISPs new opportunities, such as the meansof providing security. For example, operatorsor ISPs might also function as CAs.Figure 11Secure corporate e-mail on the Internet.New solutionsThe mechanisms we have described will reducethe impact of new threats. In the future,firewalls and flexible trustmanagementengines will continue to beimportant security components. These aregood tools in terms of protecting networksfrom denial-of-service attacks from the Internet.Attacks from terminals must bedealt with using encrypted radio links,ingress filtering firewalls, fraud detection,and auditing mechanisms. Cryptographicprotection of all control and managementtraffic in the network prevents unauthorizedusers from accessing core functionality inthe network. Protocols, such as IKE/IPsecand TLS, can be used as the basic protectionmechanism for several different applications.Likewise, necessary AAA mechanismsare required for reliable user authenticationand billing services. These mechanisms willprovide security for large-scale roaming,Ericsson Review No. 2, 2000 105
Page 1:
Ericsson 2/2000REVIEWTHE TELECOMMUN
Page 4 and 5: ContributorsIn this issueLuis Barri
Page 6 and 7: Ericsson Review is also published o
Page 8 and 9: Evolving from cdmaOne to third-gene
Page 10 and 11: Figure 2Operators Harmonization Agr
Page 12 and 13: more features, and greater reliabil
Page 14 and 15: Figure 7Ericsson's third-generation
Page 16 and 17: Figure 11Ericsson's timeline for ev
Page 18 and 19: Third-generation TDMAChristofer Lin
Page 20 and 21: TABLE 1 MODULATION AND CODING SCHEM
Page 22 and 23: Figure 3An example of a cell patter
Page 24 and 25: Figure 5Curves illustrating maximum
Page 26 and 27: TABLE 3. DYNAMIC PACKET DATA SIMULA
Page 28 and 29: erage can be achieved in existing c
Page 30 and 31: Business solutions for mobile e-com
Page 32 and 33: Figure 2Comparison of traditional a
Page 34 and 35: BOX B, THE E-COMMERCE TIMELINE1999E
Page 36 and 37: Figure 6Mobile e-Pay end-user servi
Page 38 and 39: Figure 8Access features with push-a
Page 40 and 41: AuthenticationTo verify that end-us
Page 42 and 43: BOX C, MARKET HARMONIZATIONOn Tuesd
Page 44 and 45: Figure 2The footprint of the RBS 22
Page 46 and 47: Communications security in an all-I
Page 48 and 49: BOX B, SYMMETRIC KEY SYSTEMSGood sy
Page 50 and 51: Figure 4Construction of an ESP-prot
Page 52 and 53: Figure 7An X.500 database structure
Page 56 and 57: TRADEMARKSRC4 and RC4 are registere
Page 58 and 59: HIPERLAN type 2 for broadband wirel
Page 60 and 61: Figure 3Typical usage of communicat
Page 62 and 63: Figure 6Mapping of higher layer pac
Page 64 and 65: TABLE 1PHYSICAL LAYER MODES OF HIPE
Page 66 and 67: Queen City WaterfrontEMERGING PROJE
Page 68 and 69: TABLE 2. IMPORTANT PARAMETERS FOR N
Page 70: Previous issuesNo. 1,2000IPv6—The
show all

ericssonhistory.com

Create successful ePaper yourself

Delete template?

Save as template?