Authentication, Authorization and Accounting in the Wireless Space


Being able to connect any computing device to any other, irrespective of location, is a blessing coupled with security pitfalls. For an individual, free access to any resources on the Internet is enormously powerful. For anyone concerned with corporate security, it is a major headache exposing the trove of corporate confidential information assets, both to unauthorized access and potential misuse, as well as exposure to viruses, works, and other digital pollution.

If a remote LAN is connected to the Internet it is almost certainly protected by a firewall. The identification for access control and authority is normally the IP address of the calling device. Thus the firewall for a corporate LAN is normally configured to only permit external access by devices which have an IP address which is within a predefined range, or has been uniquely registered. Where the device is one which is normally used within the LAN, and is calling in via some form of Remote LAN Access (RLA) technology, the firewall will identify it correctly and thus grant access to the device. If the same device attempts to establish a connection across the public Internet via an ISP, then it will normally inherit a new IP addressallocated by the ISP for the duration of the sessionand thus look like a foreign and potentially unwelcome visitor.

The situation is similar upon arrival of the mobile device at a remote site. In this instance, the device is allocated a new IP identity within the subnet in order for it to be accepted by, and receive network services from, the local routers and devices within the subnet.

This situation is further complicated by mobile devices which will exist within an IP subnet only for as long as they are in transmission range of the subnet. Firewalls therefore need to become a good deal more sophisticated in their recognition of mobile devices, if the user is to obtain a consistent access and service experience in accordance with their AAA (Authentication (who am I), Authorization (what am I allowed to do), and Accounting (how do you charge me for it)) profile regardless of their location.

There is much work currently underway in the Internet Engineering Task Force (IETF) to define the AAA requirements of mobile IP.

Many in the telecommunications industry claim that the IETF work is a duplication of effort. Cellular network operators have been able to authorize, authenticate, and account (bill) for voice call roaming for nearly a decade, and GSM data services such as SMS are already enabled for roaming across national boundaries with all the inter-network and customer billing taken care of within the infrastructure of the network. Notwithstanding these views, there is a clear need to bridge the Internet and telecommunications world. It would appear that the Mobile Wireless Internet Forum aspires to fulfil certain aspects of this need by bridging the old world of customer service and billing and the all new IP-based networks of the future.

The Role of The Open Group

The Open Group should be to monitor closely the activities of the IETF Mobile IP and Security working group and the Mobile Wireless Internet Forum (MWIF) to assess the extent to which the problems of AAA in the wireless space are being effectively addressed.

Existing Open Group enterprise integration activities addressing Security and eCommerce (LDAP-based), Directory Interoperability, and Enterprise Management are clearly synergistic with the needs of the wireless environment. The Open Group is able to bring together experts from the Mobile Management Forum and its existing programs to ensure that the wireless needs are addressed in a way that ensures smooth integration with existing enterprise systems.