Expert Comment

November 2003

Bringing control to the uncontrolled

Benoit Chatelard, WLAN Marketing Manager at Gemplus, assesses the opportunities and risks associated with WLAN, and considers the important role that smart cards can play in securing this wireless environment.

In the last couple of years, the wireless LAN market has gained great momentum and the deployment of WLAN equipment in public access places, SMEs, SoHos and residential areas is shortly expected to become widespread. The fact that WLANs can be more cost effective than wired LANs and that it provides access to a network anywhere in the building, makes this technology an excellent solution to improve a company's efficiency and customer satisfaction.

More and more laptops, PDAs, home network appliances, etc. are WLAN enabled and the trend seems indisputable. Already widely used in homes and offices, WLAN hot spots have started emerging in public places, such as cafés, airport lounges and conference centres. As part of the increasingly diverse range of services offered by mobile network operators, offering permanent and remote access to corporate networks, Internet and other data via WLANs is the key to providing an everyday service that will soon be indispensable, as physical barriers, such as office walls, come tumbling down.

However, using a PC to access a WLAN has issues with security, which need to be overcome before the use of WLAN becomes widespread.

Wherever there is remote access to data, be it via GPRS, 3G or WLAN, there is a need for security in terms of access control, protecting user identity, mutual authentication, confidentiality, session integrity and reliable key exchange preventing a third party from listening-in to a transmission.

Recently, The 802.11 Report reported “the RIAA was forced to drop a suit against Massachusetts’s sculptor Sarah Seabury Ward, whom it had accused of using Kazaa to illicitly download music. She had a solid defense: Kazaa runs only on Wintel computers. She uses a Macintosh. The mistake should be a warning to users of unsecured 802.11 networks. Given the current state of vendor-neutral security solutions for WLAN networks, it is possible for a file trader seeking to avoid legal action to attach to a poorly secured network explicitly for the purpose of downloading illicit music files: there is no way for the ISP to determine whether or not a rogue wireless network client was responsible for the illicit activity”. This means that the weak levels of security currently existing in WLAN networks offer a loophole for illegal use. WLAN service providers and content providers need to toughen up identity mechanisms in order to protect themselves from this sort of activity.

As usernames and password-like identities become less reliable, strong identities and powerful, trustable authentication schemes are required to build the trusted relationship between the network, the operator and the customer (enterprise or consumer).

This is where the smart card comes in; it has been in operation in one form of wireless communications for many years and it is renowned for its high levels of security as a tamper-resistant device for network access and user identification in GSM, as well as the most secure device for performing corporate authentication in LANs.

Building on existing operator technology
Implementation is a thorny issue. Most WLAN market players, especially Mobile Network Operators, will require tight inter-working between all their wireless data networks. Market players are looking to build an attractive offer between the networks that they operate and will thus require interoperability. The smart card is a strong asset in this perspective, making implementation less complex and more cost effective than any currently proposed alternative.

Another key issue is ubiquitous global coverage. Although the number of public WLAN hot spots is increasing at a significant rate, coverage can still be ‘spotty’. A truly effective enterprise mobile solution should provide the business traveller with true global roaming between hot spots for seamless connectivity. In GSM, smart cards are part of the roaming authentication architecture put in place by the operator and are the only operator stronghold within the mobile device. The use of a SIM/USIM card as an authentication token on a WLAN, with a dedicated WLAN application on-board, allows the operator to securely authenticate its subscribers while re-using its existing authentication and even billing and roaming infrastructure making it a cost effective solution for WLAN providers. Furthermore, WLAN networks can be smoothly integrated into 2.5 and 3G networks thus facilitating roaming capabilities both within the operator’s own network and worldwide.

As the subscription is always terminal independent, the SIM remains the only trusted operator-managed element and the only link between the operator and the subscriber. As PCs and WLANs are open environments, the operator can impose the use of anti-virus programs, but cannot control it. However, the SIM gives the operator piece of mind in the integrity of the environment.

At the heart of any operator’s business is the welfare of its subscribers. By using the SIM to access WLAN, the subscriber benefits from one service provider, one authentication process and only one billing scheme regardless of what services and what network are used. The use of the SIM provides ubiquitous, secure access for mobile data applications regardless of the communication channel. With a SIM card, the complexity of GPRS, 3G and WLAN is removed: we simply talk about mobile data services.

The corporate client
The early adopters for mobile data services are primarily enterprises looking to offer their employees with remote access to corporate resources or VPNs.

The four key issues that IT managers must address are security, coverage, costs, and complexity. An enterprise’s data is its most valuable asset, and it goes with out saying that no business can afford to risk having its confidential communications intercepted. Security for services, usage and for the protection of company data are key issues that need to be overcome before the use of WLAN becomes widespread.

The smart card based solution proves to be the most secure as it mixes both client/server authentication and physical management of each individual’s identity. Enterprise clients offering WLAN or any other method of access to their employees know that access to their company data is secured, both via their own solution (virtual private network) and their corporate credentials managed by the smart card. Being in most cases a matter of plug and play, smart cards are also far less costly than alternative hardware authentication tokens.

Conclusion
The opportunities for WLAN are immense. However, great risks are also presented. It is unthinkable that security should be compromised and so in order to protect the interests of all parties, a secure authentication process is essential. The opportunities for the operator are the greatest. With their existing infrastructure, the roll out of WLAN services will be straightforward. The billing for WLAN services will slot easily into the existing process and the new SIM, with its new WLAN authentication token on board, will simply take its natural place in the subscriber terminal and carry on as before, whatever the network.

“Reduce costs, minimize risks, maximize productivity, and get a rapid return on investment” are the marching orders for any IT department in today’s business environment. This is also true for mobility management. Providing simple and highly secure tools to their employees for staying connected is a must-have. Smart card technology meets these requirements: It sits at the heart of our communications strategy for tomorrow’s wireless networked world. Whatever our access point to this world, our key will be our smart card.