Учебно-методическое пособие Для студентов, аспирантов Таганрог 2008

НазваниеУчебно-методическое пособие Для студентов, аспирантов Таганрог 2008
Размер1.67 Mb.
ТипУчебно-методическое пособие
1   ...   8   9   10   11   12   13   14   15   16

Text 2. Gateway server security. Read the text and write its summary.

Gateways are devices that control the flow of traffic into or out of a network. Although definitions differ, for this context a gateway can be thought of as a device that passes packets between subnets (real or virtual), and performs operations above OSI layer 3 (session, flow control, protocol conversion, and application specific). Gateways can also be the source of vulnerabilities. Gateways are important to wireless networks and mobile wireless devices for several reasons:

Wireless networks do not afford the same physical levels of security as wired networks. Due to resource constraints, mobile wireless devices are themselves often less secure than wired devices. Wireless security gateways can protect a wired network from untrusted wireless hosts. Unlike firewalls, for which hosts are either “inside the firewall” or “outside the firewall,” the distinction between inside and outside is somewhat blurred for mobile wireless devices. A company’s trusted workers may need “inside” kinds of connectivity while using wireless devices. Conversely, visitors may need “outside” kinds of connectivity while connecting to the company’s wired network through an access point inside the corporate firewall. Wireless security gateways address these issues by performing two-way authentication and limiting access privileges on a per-device basis.

Mobile wireless devices often have limited resources that cannot support the same protocols as wired devices. They may therefore use resource-sharing protocols which must be translated in a protocol gateway to enable interaction with standard Internet protocol services. For example, a WAP gateway translates protocols in the WAP suite, including WML (HTML), WML Script (CGI), WBMP (BMP), WBXML (XML), WSP (HTTP), WTP (TCP/IP), WTLS (SSL), and WDP (UDP).

These kinds of translation pose security issues both because the wireless protocols are often less secure than the corresponding wired protocols, and because, in translation, encrypted data takes an unencrypted form inside the gateway.

Wireless devices often exist on subnets that do not support the full Internet addressing scheme. For example devices may use IP addresses reserved for local access only, or otherwise not support all of the capabilities needed for WAN access. Gateways can provide a bridge between these local subnets and a broader WAN, (i.e., Internet). Common SOHO wireless switches provide NAT to allow local devices to all access the Internet using a single IP address. Similarly, a Personal Mobile Gateway with WAN connectivity like GSM/GPRS can allow Bluetooth, 802.11, or 802.15 devices on a PAN to have full Internet connectivity.

The fact that devices behind a NAT gateway do not have unique IP addresses has implications for some security strategies (i.e., IPSEC-AH).

Mobile wireless devices may be involved in various sorts of commerce, such as M-commerce and downloading multimedia streams with digital rights.

Depending on how you look at it, where conflicting privacy and ownership interests come into play, “trusted gateways” can bridge the no man’s land, or encapsulate the overlap as a trusted third party. This space is an area of active research and is, as yet, not as well defined as the other gateway functions. Issues here are closely tied to digital rights management. See for example the

Shibboleth project.

The Internet was built on “transparency” and the “end-to-end principle”. Roughly stated, transparency “refers to the original Internet concept of a single universal logical addressing scheme, and the mechanisms by which packets may flow from source to destination essentially unaltered.” The end-to-end principle holds that functions of data transmission other than transport, such as data integrity and security, are best left to the transmission endpoints, themselves. This allows applications to be ignorant of the transport mechanisms, and transport systems to be ignorant of the data being transported. Gateways, by their nature, violate one or both of these principles.

Gateway deployment strategies

At the basic network level, gateways are viewed as servers or end-systems. But gateways create their own overlay networks and may be involved in ISO level 2 and level 3 routing. The use of gateways can greatly complicate problems of network management.

Their deployment should be carefully considered within a comprehensive network coverage and security strategy.

The main reason for using a wireless security gateway is that intruders may gain access through an insecure wireless access point and mount an attack on the internal network.

802.11b, Bluetooth, and WAP are all potentially insecure. Access points with stronger security are possible using Cisco or 802.1x protocols. Typically, a large site or campus, will need many access points for good coverage. The cost of numerous high-end access points and the problem of managing them, especially when they are not all from the same vendor, is a major concern. A common strategy is to use simple (“thin”) access points and put one or more security gateways between all wireless access points and the wired network. Then even if anyone can establish a connection to an access point, they will be challenged at the gateway. The gateway might use IPSEC, VPN, and/or LDAP encryption and authentication. Cisco also has LEAP which they are pushing as PEAP for a standard. There are several products that include SSL VPNs and gateways.

Several strategies are available to ensure that access points connect only to a gateway.

Access points could be physically wired on a separate subnet where gateways provide the only bridge to the main wired network. Over a large area, the need to maintain two wired networks, one for access points, may be impractical. Multiple smaller networks can be used, each with its own gateway. Multiple gateways can share a common, central management tool – like CA or HP OpenView. They may also be arranged in master/slave relationships, i.e., for configuration and fail-over. Another alternative is to use access points that VPN tunnel to a single gateway, using the regular wired network as the transport medium.

Gateways can grant different users different levels of trust. The easiest way to set this up is to differentiate users by their IP address, and grant different levels of service (i.e., bandwidth) and different kinds of access (i.e., specific protocols like ftp and http, and specific destination hosts) using ISO level 2 (IP address) and level 3 (protocol type) filtering. Access classes can be grouped by role, and identified by predefined ranges of IP address.

By grouping IP addresses, the IP address can also be used to distinguish between wired and wireless clients, e.g., to deliver content appropriate to small or large screens, or to put a WAP service behind the gateway or firewall. Other parameters, such as signal strength will be harder to expose.

Basing access privilege on statically-assigned IP addresses makes systems difficult to manage and upgrade. Imagine having to change thousands of statically assigned IP addresses to accommodate a new access policy. A better approach uses DHCP and MAC addresses. The DHCP servers are configured with fixed MAC to IP address mappings which are much easier to maintain and can be upgraded as needed. The dynamically assigned IP address serves as a kind of token to gain specific levels of access. To hide these IP addresses from snoops, use one of the newer (or evolving) standards for level 2 encryption in the client and access point (i.e., Tunneled Transport Layer Security).

Gateway services

Any system granting access to clients should include a separate method for authenticating the user. MAC addresses can be spoofed. The gateway may provide its own authentication service, or act as a proxy for a remote authentication service available elsewhere on the network. Various authentication services can serve this function, including RADIUS and Windows Active Directory. Using an underlying operating system’s authentication may allow the user to log in to both the network and a machine with a single sign- in. 802.1x proposes this approach. A “captive portal” directs every http request from a not yet authenticated user to the authentication service (and blocks all other types of requests).

There are situations where wireless clients are not capable of performing a standard authentication behavior. Sensors on a shop floor or in a wireless automotive network might be examples. In these cases, with very limited privileges, statically assigned access may be justified. But the security implications must be carefully considered and strong encryption should be used.

Roaming is another issue that gateways can address. Roaming users may move out of range of their current access point and into range of several alternative access points.

Handover delays may affect streaming applications like VoIP and video. Secure access points might require the user to be re-authenticated, while gateways offer other options.

The 802.11 Fast Roaming Study Group and 802.21 working group are looking for standard ways to address roaming, as is a partnership among Proxim, Avaya, and Motorola.

WAP devices use WTLS instead of SSL, due to the assumed WAP client’s resource constraints. The basic WAP configuration involves a WAP gateway that translates between the various WAP protocols and the corresponding Internet protocols. The WAP gateway translates between WTLS and SSL by decrypting the message as it comes in and then re-encrypting it in the other protocol before passing it on. Decrypting the message in the WAP gateway is only one of many WTLS vulnerabilities. Better security can be achieved by using an encryption protocol in the layer above WTLS/SSL that works directly between the client and server endpoints.

PKI-based encryption is the logical candidate for end-to-end encryption, e.g., for MCommerce applications. But PKI is resource intensive. The special processing could be handled by a SIM/WIM smartcard, but smartcards add cost to small devices. Research is currently underway to use a remote server to perform the heavy processing part of the RSA/ECC algorithm implementation, while still holding all key parameters in secrecy by the client.

Resource overhead for even basic internet connectivity can be an issue for very small devices, such as those imagined for wearable and ubiquitous computing. A special class of gateway, called personal mobile gateway (PMG), has WAN capability (e.g., GSM/GPRS) and shares it with other little devices with PAN connectivity (i.e., Bluetooth, 802.11, 802.15). The delegation can be general, or specific to the type of applications needed (SMS, voice, digital photos, video, etc.) Security issues at this level are beyond the scope of this discussion.

Government wireless installations are required to meet the NIST FIPS 140-2 standard for cryptographic modules. RADIUS does not meet this standard. For such applications a FIPS 140-2 compliant gateway and corresponding authentication server software must be used. The physical vulnerability of gateways in unattended locations may also need to be addressed. By encasing the gateway’s circuitry in a special hardened plastic security potting resin, any attempt at physical tampering will be easily recognized.

In any discussion of security and gateways the limitations of gateways must be emphasized. Gateways form part of a perimeter defense for wired networks. They do not solve the vulnerability of any network to insiders with malicious intent. In addition, while the gateway strategy addresses the threat to the network from malicious wireless devices, it doesn’t protect wireless devices from malicious access points.

Vocabulary tasks

Give as many word combinations as possible and translate them.


What do the following abbreviations from Text 1 mean?


Give your definitions to the following terms.

Wireless environment


smart device

Make the word combinations.

    1. data a) network

    2. Nomadic b) compromise

    3. inbound c) rate

    4. two-way d) interconnect

    5. cordless e) of an enterprise

    6. power f) traffic

    7. ad hoc g) access

    8. cross-building h) radio

    9. security i) system

    10. assets j) consumption

Translate into Russian the following passage.

In recent years, many authentication protocols for the wireless network have been proposed. When a mobile user roaming in wireless environment, it is desirable to protect the relevant information about him. Assuring the anonymity of a mobile user prevents unintended parties from associating him with the messages to/from him or with the sessions in which he participates. The disclosure of a mobile user’s identity allows unauthorized entities to track his moving history and current location. The illegal access to any information related to users location without his notice can be a serious violation of his privacy. So, anonymity is one of importance property of these protocols.

A basic solution for the provision of user anonymity is to use the temporary identity (TID) of a mobile user instead of his real one. Several security-related protocols with anonymity for wireless mobile communication systems have been

proposed based on the symmetric key cryptography or the public key cryptography. However, in a mobile communication system, there are a few things to consider when security protocols are being designed. First, the low computational power of mobile devices should be considered, which means a security protocol requiring heavy computation on the mobile nodes is not adequate. Secondly, wireless mobile communication networks have a lower bandwidth and a

higher channel error rate than wired networks. So, the security protocols should be designed to minimize the message sizes and the number of messages exchanged. Our proposed authentication scheme is based on the public key cryptosystems, but mobile users only do symmetric encryption and decryption.

Translate into English the following passage.

Регулярные исследования в области беспроводных сетей и протоколов помогают нам получить представление о реальном положении дел в этой области. Мы стараемся освещать эти вопросы в наших статьях, чтобы привлечь к ним внимание пользователей. Основными объектами нашего исследования являются Wi-Fi точки доступа и мобильные устройства с поддержкой протокола Bluetooth.

Нами уже были опубликованы обзоры состояния беспроводных сетей в китайских городах Пекине и Тянцзине, сетей, работавших в ходе выставки CeBIT 2006, и результаты исследования в Лондоне в рамках выставки InfoSecurity.

Очередным местом проведения наших тестов стала столица Франции в целом и состоявшаяся там в конце ноября выставка InfoSecurity 2006 в частности.

Мы планировали собрать статистику по Bluetooth-устройствам на выставке, в парижском метро и просто на улицах города. До сих пор нам ни разу не удавалось зафиксировать наличие хотя бы одного из мобильных червей — Cabir или Comwar — в крупных городах мира, но на Францию мы возлагали особые «надежды», связанные с тем, что первый мобильный червь (Cabir) был создан именно там.

Additional vocabulary

    1. gateway - межсетевой шлюз

    2. session - сеанс

    3. flow control - контроль передачи, управление потоком данных

    4. protocol conversion - преобразование протоколов

    5. application specific - специализированного применения

    6. overlap - совпадение

    7. intruder - лицо, не имеющее санкционированного доступа

    8. fail-over – провал, неудача, сбой

    9. statically-assigned IP address – статистически назначенный адрес

    10. spoof - обманывать

    11. handover delay – задержка перемещения вызова

    12. malicious intent - злой умысел

1   ...   8   9   10   11   12   13   14   15   16


Учебно-методическое пособие Для студентов, аспирантов Таганрог 2008 iconУчебно-методическое пособие по формированию компетенции в грамматике (английский язык)
Пособие для самостоятельной работы студентов 3 – 4 курсов (бакалавриат). – Таганрог: Изд-во тти, 2008. – 100 с
Учебно-методическое пособие Для студентов, аспирантов Таганрог 2008 iconВведение в профессию комплект методического обеспечения учебно-методическое пособие
Учебно-методическое пособие предназначено для преподавателей, студентов, аспирантов
Учебно-методическое пособие Для студентов, аспирантов Таганрог 2008 iconСоциология Учебно-методическое пособие для студентов Казань 2010 удк 005 101 1701841 ббк 60 5 (Я 7) Печатается по решению предметно-проблемного совета гуманитарных и социально-экономических дисциплин
Учебно-методическое пособие предназначено для студентов дневной и заочной формы обучения, преподавателей и аспирантов
Учебно-методическое пособие Для студентов, аспирантов Таганрог 2008 iconУчебно-методическое пособие по курсу «Рентгенографический анализ» Казань, 2010
Методическое пособие предназначено для студентов и аспирантов геологического факультета
Учебно-методическое пособие Для студентов, аспирантов Таганрог 2008 iconУчебно-методическое пособие Ярославль, 2009 Скопин А. А., Разработка и технологии производства рекламного продукта: Учебно-методическое пособие. Ярославль, «Ремдер», 2009 118 с
Учебное пособие предназначено для студентов, аспирантов, преподавателей. Актуальность рассматриваемых вопросов делает пособие привлекательным...
Учебно-методическое пособие Для студентов, аспирантов Таганрог 2008 iconУчебно-методическое пособие для аспирантов
Английский язык для аспирантов = English for Post-Graduates / Учеб метод пособие для аспирантов / Авт сост.: О. И. Васючкова, Н....
Учебно-методическое пособие Для студентов, аспирантов Таганрог 2008 iconУчебно-методическое пособие по курсу Технико-экономическое проектирование для студентов специальности 22. 01
Учебно – методическое пособие по курсу “Технико-экономическое проектирование”. Сост. Ю. В. Брусницын, А. Н. Гармаш. Таганрог, трту,...
Учебно-методическое пособие Для студентов, аспирантов Таганрог 2008 iconУчебно-методическое пособие Казань 2008 федеральное агентство по образованию государственное образовательное учреждение высшего профессионального образования
Полевая археологическая практика Казанского государственного университета: Учебно-методическое пособие для студентов, обучающихся...
Учебно-методическое пособие Для студентов, аспирантов Таганрог 2008 iconМетодическое пособие для аспирантов и студентов всех форм обучения Иркутск 2008
Методическое пособие предназначено для аспирантов и студентов всех специальностей и форм обучения. В нем разъясняются важные узловые...
Учебно-методическое пособие Для студентов, аспирантов Таганрог 2008 iconМетодическое пособие для аспирантов и студентов всех форм обучения Иркутск 2008
Методическое пособие предназначено для аспирантов и студентов всех специальностей и форм обучения. В нем разъясняются важные узловые...
Разместите кнопку на своём сайте:

База данных защищена авторским правом ©lib.znate.ru 2014
обратиться к администрации
Главная страница