200 likes | 396 Views
FAQ’S ABOUT WAP. Presented By Abhilash Pillai CSCI 5939-Independent Study. Topics Covered. Definition of a WAP gateway Architecture of a WAP gateway Configuration of WAP gateway Security over a WAP gateway Definition of WAP server Role of a WAP server. Definition of WAP gateway.
E N D
FAQ’S ABOUT WAP Presented By Abhilash Pillai CSCI 5939-Independent Study
Topics Covered • Definition of a WAP gateway • Architecture of a WAP gateway • Configuration of WAP gateway • Security over a WAP gateway • Definition of WAP server • Role of a WAP server
Definition of WAP gateway • A WAP gateway is a piece of software that has several functions in the chain between the WAP device and the web server. • When implementing services in Wireless Application Protocol(WAP),information is translated into Wireless Markup language(WML) by a two way device called a WAP gateway
Architecture of WAP Gateway Components of architecture • Wireless Device • WAP Gateway • HTTP Server
Explanation Of Architecture The data transfer procedure is as follows • Client sends a WSP request to WAP gateway • WAP gateway decodes the WSP request into HTTP request • WAP gateway sends the HTTP request to HTTP server • WAP gateway receives the HTTP reply from HTTP server • WAP gateway encodes the HTTP reply headers into WSP reply headers • WAP gateway uses WML compiler to encode the received WML data to WMLC format ,which is more compact • WAP gateway sends WSP reply • Client parses WSP reply and presents data.
Architecture cont……. From the previous procedure we can see the main tasks for a WAP gateway are • Communication with clients (based on WSP) • Decoding WSP requests into HTTP requests • Communication with HTTP server (based on HTTP) • Encoding HTTP reply headers into WSP Reply headers • Compile WML data into WMLC format
Configuration of WAP gateway • The WAP gateway and web server together form the WAP server are placed in outside the content providers domain • System is less secure
Configuration Cont….. • The WAP server ie the WAP gateway and the web server are placed in the content providers domain • System is more secure
How the configuration works • Mobile user types in the URL for a site on the WAP device • The WAP device first checks if it already has an open connection. • If not it dials the modem attached to a dial-in server (RAS, or Remote Access Service). This server gives the WAP device access to the protocols it needs. • These protocols are the same lower level protocols as a normal Internet Service Provider will give you, i.e. PPP (Point-to-Point Protocol).
Description Cont…. • After the PPP provider has given the WAP device the required protocols and assigned it an IP address, the request for the URL is then sent to the WAP Gateway. • The WAP Gateway, now under "control" of the WAP device requests the URL with a normal HTTP request. • The WAP Gateway is the link between the wireless and the Internet, basically giving the WAP device access to the common Internet.
Description Cont…. • On the Internet, the web server receives the request from WAP Gateway and sends out the contents located at the URL back. • Finally, back at the WAP device that requested the URL, the WML browser, when receiving the tokenized WML code renders the contents on the WAP device's display to present the first card off of the deck on the screen for the user • To sum up, the client makes a request. This request is received by a WAP gateway that then processes the request and formulates a reply using WML and send back to the client for display. This process is very similar in concept to the standard HTTP transaction involving client Web browsers
Security Issues • For a short span of time when the data is unencrypted in the WAP gateway; is major security issue • It is upto the vendors discretion to make the gateway as secure as possible
Security issues Contd….. • The second issue with security is that of certificates that are provide for the device • This certificate is used to access the various services for a particular user • If the mobile device is lost it is possible for any user who possess that mobile device to access the various services • Thus for this purpose in the new WTLS specification the idea of pins were introduced ie a secure token id.thus the user is supposed to reveal the token before using the services.
What is a WAP server • A WAP Server is nothing more than a normal web server and a WAP gateway-like device built into one. • The WAP server can plug a few holes that are currently unplugged inthe WAP environment. • Since the WAP server contains a gateway, the third party gateway usually hosted by the mobile operator can be skipped, and the host of the WAP content will have full control over the encrypted stream
Is WAP secure with SSL and WTLS? • SSL or Secure Sockets Layer which is widely used in the "web" world to encrypt the data stream between the browser and the webserver is actually also used in the WAP environment. • SSL is only used between the webserver and the WAP gateway. Between the WAP gateway and the WAP device, a similar system called WTLS or Wireless Transport Layer Security. WTLS is specialized for the wireless environment. • SSL and WTLS on their own provide adequate security for most applications. However, there is a potential security problem where the two protocols meet, and that's inside the WAP gateway.
Models of WAP system | | [WAP device]--|------[WAP gateway]---| [Content Server] -|---| {unprotected}-|- WTLS | SSL (Firewall) | | (Firewall) • SSL is not directly compatible with WTLS, so the WAP gateway must decrypt the SSL protected data stream coming from the webserver and then re-encrypt it using WTLS before passing the data on to the WAP device • Inside the memory of the WAP gateway, the data is unprotected
Models Cont…. A more secure model but with tradeoff [WAP device]--|-----------| [WAP Server acting as WAP gateway] -|-------- WTLS | (Firewall) | | (Firewall) • WAP players are developing solutions to the problem posed in the earlier model, but for now these solutions create other problems • "WAP servers", provide end-to-end security in a way because the data stream leaves the "WAP server" already encrypted with WTLS
Proposed solution for the future • Pass Through Model of WAP system [WAP device]--|[WAP gateway}---| [WAP Server] | -----------------| WTLS (Firewall) | |(Firewall)
What is a proxy server? • A proxy-server plays the role of an agent between the web-browser or another web-client and the internet. With the help of a proxy-server users can use the internet in a controlled way, e.g. through a firewall. • Furthermore, a proxy can be used as a filter (e.g. suppressing the referrer-header for security) or to cache documents. • It is possible to create "off-line" caches and to index them for later searching. Because WAP Proxy-Server can also act as a web-server, it is possible to create virtual sites or to hide real sites
References • Proxy servers- www checkcom.com/products • WAP faq’s –www.wirelessfaq.com • Ric Howell,Concise Group-WAP security • Architecture of WAP Gateway-http://weblog.cs.uiowa.edu/22C178f01/uploads/acct/ntang/architecture.html