Securing the Mobile Enterprise

September 17, 2009

Context Aware Mobility – 2 : Access Control


Context awareness is intricately coupled with location awareness to some extent. The security and access considerations mainly apply at the network layer as this is the only aspect of the device that crosses a trust boundary. All access control frameworks are built around the concept of “Trust” between various entities and agents participating in the network. According to the ISO 10181,

Trust is a relationship between 2 elements, a set of operations and a security policy, P where element X trusts element Y only if X has confidence that Y behaves in a well-defined way that does not violate the P.

Most hierarchical trust models incorporate his central concept. In such models, one or more superior (i.e. more trusted) entities grants credentials to the participating peers. One example of this model is the public key infrastructure (PKI) built around X.509 digital certificates which forms the backbone of all internet security. However modern network access control frameworks, especially those designed for fixed/mobile LANs are adopting a distributed intelligence approach where the NAC environment is dynamically structured to fit the users and data that is accessed. The Juniper Networks UAC solution is one such instance. This system allows administrators to encode users and data on-the fly through a rich and granular policy management framework. The decision engine then defines the policy (contract) after evaluating the user (permissions, clearance), the network (access-method, resource properties) and the endpoint properties (OS, patch version, anti-virus programs etc.).

Let us now look at the mechanism by which a mobile device ‘attaches’ to the network. To begin with recall the behavior of a Windows PC when it first connects to a new network. The user is required to choose whether it is a private, business or public network. Based on the option selected Windows firewall will apply the appropriate firewall profile. Subsequent visits to the same network will automatically apply the same policy without manual intervention. Context awareness takes this concept to the next level. Now applications and services can also become “aware” of the network and tailor their behaviors accordingly. The ultimate goal here is to identify and authenticate the network location. At the protocol level the application or service authorizes the network access provider (usually a DHCP server), which is a form of entity authentication. From the standpoint of privacy we have to ensure that the client remains sufficiently anonymous in order to protect the mobile user before and during the network access. In the standard Wifi access operation the client and the network use 802.1X protocol that is backed up by public key certificates. 802.1X allows piggy-backing of new authentication methods e.g. EAP-TLS for authenticating with TLS/SSL or EAP-SIM for authenticating against GSM-SIM or EAP-JUAC, for Juniper’s custom UAC method. In all these methods the client’s privacy is protected by authenticating the server and then performing the client authentication inside the secure channel.

Advertisements

Leave a Comment »

No comments yet.

RSS feed for comments on this post. TrackBack URI

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Blog at WordPress.com.

%d bloggers like this: