GSM: Poised for US breakthrough

Global System for Mobile Communications (GSM) may have the lion’s share of wireless telephone traffic worldwide, but in the United States, GSM currently lags behind more widely deployed Code Division Multiple Access (CDMA) and Time Division Multiple Access (TDMA) technologies. That may not be the case for long, however.

Major vendor VoiceStream has a nationwide GSM network in the U.S., and both Cingular and AT&T are in the process of switching their TDMA networks to GSM general packet radio service (GPRS), a 2.5G technology that promises data transmission speeds of up to 144Kbps. Cingular and AT&T eventually plan to switch to a standard called Enhanced Data Rates for GSM Evolution (EDGE), which will increase data rates to 384Kbps. Meanwhile, Verizon, whose network is built on CDMA, is moving to a standard called CDMA 1xRTT to enable high-speed data services. Like EDGE, CDMA 1xRTT is a 2.5G technology that is an interim step on the road to 2Mbps mobile data services.

It looks like the technology is moving into place for the next generation of wireless services, but in support of what improvements over today’s phones? Clearly, better data services are the prime advantage, but there are advantages for talkers, too.

Because of its convenience and ease of use, voice recognition will be a boon for users on GSM GPRS networks. While some wireless providers support voice recognition applications today, all GPRS networks will build it in from the start. Application developers need to learn about the VoXML application for tying voice to XML-encoded data. And they need to consider how to make available a suitable set of public information resources for mobile access, the same way they now offer access for telephone and Web users.

While the new opportunities are exciting, network providers need to keep an eye out for new perils, too. As GSM becomes a universal standard, it will become more popular with virus writers and even spammers. But at the same time, vendors will step up to block unwanted calls and messages. A company called WhiteCell already has an application called SMSafe that lets network providers screen for spam the way e-mail providers currently can on data networks.

How much should all this affect your mobile phone purchasing plans? That depends on your time horizon. I’m not expecting major developments for about a year, at which time 2.5G features–which means simply technology for sending packet data over existing cellular networks originally designed for voice transmissions–should be more widely available through GSM GPRS. Most service contracts last a minimum of one year–don’t lock yourself in for more than that. Try to get the cheapest phones you can buy, too, because by the time your contract is up for renewal, your phones may be obsolete. Consider purchasing a combination PDA-phone, such as the Handspring Treo, today if GPRS is already available in your area. But be aware that as EDGE technologies unfold, even today’s cutting-edge phones will become obsolete; you’ll want new handsets that can take advantage of the new services’ features.

3G mobile networks, which promise high-speed, always-on voice, data, and multimedia services over an IP network, are even further down the road. IBM has an excellent white paper on the road map for 2.5G and 3G.

If you’re building mobile applications at the network level, be sure to consider how to migrate users from older technology, but plan for CDMA and TDMA to co-exist with GSM-based GPRS and its coming descendent EDGE for a long time.

Bad timing for SNMP alert

Why does it seem that not a week goes by without a security flaw detected in some widely popular software? The latest security hole is in the venerable Simple Network Management Program, version 1. The problems were discovered last year by Finland’s Oulu University Secure Programming Group. OUSPG’s members devised a test suite that sent SNMP server software sample packets containing unexpected values or illegally formatted data, according to CERT. The group discovered many different vulnerabilities on different vendors’ implementations of SNMP. The flaws could allow sophisticated system programmers to crash devices running SNMP agents. In some vendors’ implementations, it might be possible for miscreants to gain access to a device without crashing it.

A troubling aspect of the story is the timing for revealing the vulnerabilities. Security consultants generally like to give vendors a chance to develop fixes for problems they find before announcing their discoveries and gaining respect for having found them. In this case, however, word began to get out to the user community before all the vendors were ready. Because SNMP is so widely implemented, not all companies had fixes ready by the time the problem was announced.

There’s disagreement in the security field about the prudence of disclosing security problems. Security guru Marcus Ranum fueled the debate in October 2000 when he called for security analysts to work with vendors before announcing vulnerabilities. His manifesto was widely mischaracterized, and he was called a traitor by the libertarian faction of the security community for suggesting any restrictions on the free flow of information.

Ranum was right, however. It’s in more people’s interest to begin working on a solution before announcing the problem. Here’s hoping that next time vendors have time to fix their flaws before their customers suffer from them.

The best way to secure wireless access

If you haven’t yet deployed wireless networking in your company, chances are you’re being held back by WLAN’s questionable security. Wireless data transmissions are as subject to interception as wireless phone calls, and the Wireless Equivalent Privacy (WEP) encryption built into the 802.11b wireless specification has been proven to be easier to crack than it should be.

While casual “war drivers”–individuals who hang around outside companies and look for untended wireless connections–may not get to see your WEP-encrypted data, anyone bent on corporate espionage probably can.

The tried and true methods for securing wired LANs can also work for wireless networks. RADIUS, Kerberos, and LDAP authentication and PPTP, L2TP, and IPsec VPNs have a much better record of keeping your private data private. PPTP and L2TP have the added advantage of being bundled as part of Windows. But all these alternatives are less well-suited for wireless. They require central servers to maintain user security records, while wireless is inherently a decentralized medium. And because they encrypt the packets passing over the network, they defeat quality of service (QoS) software designed to read packet header information and prioritize traffic based on pre-set priorities.

I met recently with a company that makes a hardware box that addresses the need for better wireless security. Bluesocket Inc.’s $6,000 WG-1000 Wireless Gateway sits on a LAN between wireless access points and the rest of the corporate network. It acts as an authorization and VPN server. Any wireless data traffic can reach the device, but unauthorized users can’t get past it. Authorized packets pass across the internal network (which is presumably secure), unencrypted. That lets any devices you installed to implement network QoS do the job they were designed for.

There are a lot of potential pitfalls with a device like this, but Bluesocket’s architects seem to have avoided most of them. You can have multiple wireless gateways on the network, each one handling about 100 simultaneous users. (Your mileage may vary). Two boxes can be designated as hot failover units for each other. All gateways on the network can be managed simultaneously from a single browser-based console using a master/slave hierarchy. Permissions are granted and denied according to user information defined in repositories like LDAP or Active Directory; you don’t have to duplicate all your existing user information. And you can set access policies on a user or role basis.

Today, the encryption/decryption algorithms within the box (which is powered by an 866MHz Pentium III processor and a hardened version of Linux) run in software. That can impose a slight performance penalty on highly trafficked networks, where the bandwidth exceeds 30Mbps.

The fact that Bluesocket has two direct competitors shows the industry has recognized the need for this kind of device. However, products from Vernier Networks and ReefEdge seem less flexible–both require a control hardware server and one or more access gateways–and more expensive.

To me, wireless security gateways seem like the right product at the right time. Wireless access points are ludicrously inexpensive these days–typically about $150, give or take a bit. There’s little doubt they’re coming to your office, to airports, and probably to your home and your local coffee shop, too. If your mobile users are taking corporate notebooks into settings you can’t secure, you need to at least secure the traffic they send when they’re away from the LAN. A wireless gateway that supports strong encryption is a sensible way to go.