WO2003045034A1 - Security of data through wireless access points supporting roaming - Google Patents

Security of data through wireless access points supporting roaming Download PDF

Info

Publication number
WO2003045034A1
WO2003045034A1 PCT/SG2002/000223 SG0200223W WO03045034A1 WO 2003045034 A1 WO2003045034 A1 WO 2003045034A1 SG 0200223 W SG0200223 W SG 0200223W WO 03045034 A1 WO03045034 A1 WO 03045034A1
Authority
WO
WIPO (PCT)
Prior art keywords
network
wireless
access point
wireless device
server
Prior art date
Application number
PCT/SG2002/000223
Other languages
French (fr)
Inventor
Kok Hong Soh
Original Assignee
Mobiwave Pte, Ltd.
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Mobiwave Pte, Ltd. filed Critical Mobiwave Pte, Ltd.
Priority to AU2002339830A priority Critical patent/AU2002339830A1/en
Publication of WO2003045034A1 publication Critical patent/WO2003045034A1/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0227Filtering policies
    • H04L63/0236Filtering by address, protocol, port number or service, e.g. IP-address or URL
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L61/00Network arrangements, protocols or services for addressing or naming
    • H04L61/50Address allocation
    • H04L61/5084Providing for device mobility
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0272Virtual private networks
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/16Implementing security features at a particular protocol layer
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W36/00Hand-off or reselection arrangements
    • H04W36/13Cell handover without a predetermined boundary, e.g. virtual cells
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W36/00Hand-off or reselection arrangements
    • H04W36/08Reselecting an access point
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W74/00Wireless channel access, e.g. scheduled or random access
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W76/00Connection management
    • H04W76/10Connection setup
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W8/00Network data management
    • H04W8/26Network addressing or numbering for mobility support
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W80/00Wireless network protocols or protocol adaptations to wireless operation
    • H04W80/04Network layer protocols, e.g. mobile IP [Internet Protocol]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W88/00Devices specially adapted for wireless communication networks, e.g. terminals, base stations or access point devices
    • H04W88/08Access point devices

Definitions

  • This invention relates to the field of wireless communications, and wireless access to the resources of wired networks. It relates particularly to the security of data transmitted through wireless access points that support roaming of wireless devices.
  • Wireless communications is a burgeoning field.
  • Personal computers, laptops, personal digital assistants, telephones and remote control devices are but a few of the types of device that are being used in a wireless environment.
  • LANs wireless Local Area Networks
  • a contemporary international Standard for wireless LANs is IEEE 802.1 lb.
  • STA wireless client stations
  • AP access points
  • Access points are essentially STAs that provides access to the distribution systems (DS, or more commonly known as the wired LAN, such as Ethernet).
  • DS distribution systems
  • ESS Extended Service Set
  • the advantage of wireless LAN systems is that a user enjoys the benefits of Ethernet while at the same time is free to roam within the serviced area.
  • the approximate wired equivalent of this scenario is a user being able to move about and plug his Ethernet cable into any available network point.
  • wireless LAN environment also presents new security issues that need to be addressed.
  • wireless LAN systems do not recognize physical wall boundaries.
  • an outsider cannot easily gain access to the internal network because of the physical security available (e.g. walls and security guards).
  • RF radio frequency
  • outsiders can easily access wireless LAN systems since walls do not block the passage of radio frequency (RF) signals of wireless LAN systems to the outside world.
  • RF radio frequency
  • the IEEE 802.11 Standards Committee also defined an optional Standard called Wireless Equivalent Privacy (WEP) to provide data confidentiality for a 802.11 wireless LAN system.
  • WEP is weak and can be easily broken.
  • Another problem with WEP is that its integrity is difficult to maintain because it is based on a shared secret key system; it is easy for one person to keep a secret, but it is not practical for a company with hundreds of employees to try to keep a secret.
  • One known solution to the security problem is to implement a firewall router at APs.
  • the idea is to limit the number of services offered to wireless LAN users.
  • the wireless LAN users can only access a wider range of services by creating a virtual private network (NPN) by tunneling a VPN protocol through this wireless firewall router.
  • NPN virtual private network
  • the VPN solves the problem of privacy and confidentiality, as an outsider who attempts to gain access to the wireless LAN systems will be blocked at the firewall. Also, any attempts to 'sniff or eavesdrop on the data packets will be frustrated, as these packets will be encrypted within the NPN tunnel.
  • VPN solutions include Point-to-Point Tunneling Protocol (PPTP) and IPSec, which interface to TCP/IP (i.e. at the network layer).
  • PPTP Point-to-Point Tunneling Protocol
  • IPSec IP Security
  • TCP/IP i.e. at the network layer
  • WindowsTM operating systems have built-in PPTP clients.
  • firewall router AP operates at the network layer (or the IP layer in the case of the TCP/IP standard).
  • IP layer e.g. IP address
  • Typical firewall implementations that are available from open sources (freeware) are LinuxTM, FreeBSD and OpenBSD. These implementations work by filtering network layer packets. They are also capable of stateful inspection of VPN packets such as PPTP and IPSec.
  • the present invention is directed to overcoming the problem of security of data and, at the same time, avoiding the deficiency of the firewall router approach so far as roaming is not possible.
  • the invention discloses a method for establishing data access for a wireless device to a wired network resource via a wireless access point, comprising the steps of: establishing a firewall, at or above the data link layer, in said access point to pass only virtual private network data packets; connecting the wireless device to a server on said wired network via said access point at the data link layer; allocating a network layer address to the wireless device; and establishing a virtual private network connection between the wireless device and the server, via the access point bridging packets between the wireless device and the server, above the network layer, for data access to a network resource.
  • the invention further discloses a method for providing a wireless device with roaming data access to a wired network resource via wireless access points, the method comprising the steps of: establishing a firewall, at or above the data link layer, in said access points to pass only virtual private network data packets; connecting the wireless device to a server on the wired network via a said access point at the data link layer; allocating a network layer address to the wireless device; and establishing a virtual private network connection between the wireless device and the server above the network layer, via the access point bridging data packets between the wireless device and the server, for data access to a network resource; and wherein, upon the wireless device roaming to another access point, the method comprises the further steps of: connecting the wireless device to said server via said other access point at the data link layer, the wireless device retaining the currently allocated network layer address and the virtual private network layer connection; and continuing data access to a network resource by said virtual private network connection via said other access point.
  • the invention yet further discloses an access point for a wireless communications network supporting roaming, in which wireless devices connect via said access point with a server on a wired network to access a network resource, the access point comprising: a wireless transceiver for communications with a wireless device; a wired network interface for communications with a server; and a processor, interfacing between said transceiver and said network interface, and being programmed to connect a wireless device to the wired network at the data link layer by bridging packets between the wireless and wired network, and to implement a firewall which operates to pass only virtual private network data packets existing above the data link layer.
  • the invention yet further discloses a wireless network in which a wireless client device can connect to a server on a wired network to access network resources by one of a plurality of access points, and roam between said access points while maintaining network connection with the server, the network comprising: a said wireless client device; a plurality of said access points, each implementing a firewall which operates to pass only virtual private network data packets existing above the data link layer; and a said server supporting a virtual private network and network addressing; and wherein said wireless client device connects to said server via a said access point at the data link layer, said server allocates a network layer address to the wireless client device and the wireless client device establishes a said virtual private network connection with the server above the network layer, via the access point bridging data packets between the wireless client device and the server, for data access; and further wherein, upon the wireless device roaming to another access point, the wireless device connects to said server via said other access point at the data link layer, and retains the currently allocated network layer address and the virtual private network layer connection
  • Fig.1 is a schematic black diagram of a wireless access point
  • Fig. 2 shows a typical wireless LAN data packet format
  • Fig. 3 is a schematic black diagram of a physical wireless network
  • Fig. 4 is a logical network diagram
  • Fig. 5 is a wireless access layer model embodying the invention
  • Fig. 6 is a schematic block diagram, similar to Fig. 3, showing one implementation
  • Figs. 7a and 7b are block flow diagrams relating to Fig. 6;
  • Fig. 8 is a schematic block diagram, also similar to Fig. 3, showing another implementation
  • Figs. 9a and 9b are block flow diagrams relating to Fig. 8;
  • Figs. 10a and 10b are block flow diagrams relating to a pre-allocated IP addressing regime.
  • Figs. 11a and 1 lb are block flow diagrams relating to the processing of packets at a wireless access point.
  • firewall or “firewall software” is to be understood in the widest context. It includes the meaning of a mechanism to pass only wanted data packets in accordance with established rules.
  • Reference to a “virtual private network” similarly takes the broadest meaning, and includes a secure architecture that authenticates an authorised user and enables secure data exchange through the use of encryption.
  • a reference to “bridging software” includes an electrical and low level functional interface between the wireless domain and the wired domain.
  • Fig. 1 shows the block diagram of a typical wireless access point 10 (e.g. providing an IEEE 802.1 lb AP).
  • a wireless client 12 connects to the wireless access point 10 via a wireless chip/card 14 therewithin.
  • the CPU 16 receives a data packet 30 from the wireless client 12 which typically is of the format shown in Fig. 2, and communicates via a network chip 18 with the network bus 20.
  • the data packet 30 contains a MAC layer header 32, a Network layer header 34, a Transport layer header 36 and a payload 38.
  • the wireless chip/card 14 and the network chip 18 perform the physical layer interfacing functions in a conventional manner.
  • the CPU 16 functionality in providing security and supporting roaming will be described below.
  • Fig. 3 is at a functional level, and concerns the implementation of a transparent firewall bridge 50 (i.e. within the CPU 16 of Fig. 1). It shows the wireless client device 12 connecting to API, one of a number of wireless access points 10, 10', 10", to gain access to the VPN server 40. The client device 12 has the capability to roam from API to AP2 and AP3 and still attain connection to the intranet resources 42 via a secured NPN tunnel.
  • Fig. 4 shows the corresponding logic network diagram, where the VPN tunnel is indicated by reference numeral 44.
  • a set-up takes place.
  • Bridging and firewall software 50 resident in the access point CPU 16, is provided.
  • the firewall software is configured to pass only virtual private network data and, depending upon the form of addressing (i.e. pre-allocated or dynamic), network addressing configuration data.
  • the bridging software transfers packets between the wireless and wired domains, operating at the data link layer.
  • the client 12 connects to the access point 10 at the data link and physical layers by way of the wireless protocol.
  • the client 12 then obtains (i.e.
  • the server 40 also establishes a VPN connection with the client 12.
  • the set up is now complete, and the client is able to access intranet resources 42 via the VPN server 40 (as shown in Fig. 4) with the security offered by a tunneled VPN (situated above the network layer). Communications may take place in a secure manner in that only NPN packets are passed by the AP 10.
  • Fig. 6 shows a wireless communications system in a form similar to Fig. 3. Like elements are shown with the same reference numerals.
  • the file server 40' is the protected resource. There can, of course, be many other such protected resources on the Ethernet 20.
  • the server 40 thus acts much as a gateway, in that it does not itself hold the resources being sought by the wireless device.
  • Fig. 6 will be described in conjunction with the block flow diagram of Figs. 7a and 7b.
  • Step 60 Assume that the internal wired network 20 is subnetted as 192.168.3.x (i.e. with netmask 255.255.255.0).
  • Group Step 62 Set up a PPTP server 40 (e.g. using the known techniques described above). This involves the sub-steps as follows:
  • step 66 configure the same Ethernet interface to an alias IP address 192.168.2.1 with network mask 255.255.255.0 (step 66) (i.e. the alias address is needed to support the subsequent VPN tunneled addressing).
  • step 68 configure the PPTP server (group step 68) to: - allow user A with password ⁇ P> to login to network (step 70).
  • Step 78 Set up the DHCP server 40 to give out IP addresses to wireless clients of the form, say 192.168.2.129 - 192.168.2.199.
  • Step 80 Install secure 802.1 lb AP 10. This specific implementation will be described in greater detail below.
  • Step 81 The wireless client 12 connects to the AP 10.
  • Step 82 The wireless client requests and obtains an IP address from the DHCP server 40. Here it is assumed the client obtains IP address 192.168.2.129.
  • Step 84 The wireless client 12 runs PPTP client software to connect to PPTP server 40, by the substeps of:
  • the wireless client 12 is configured to connect to a PPTP server with IP address 192.168.2.1 (step 86). - logs in as user A with password ⁇ P> (step 88).
  • a new IP address 192.168.3.129 is obtained for its end of the PPTP tunnel (step 90).
  • Step 92 Data packets will then be tunneled through the secure PPTP tunnel.
  • Steps 94 and 96 As the wireless client 12 roams from one AP to another, it reassociates itself with the new AP, but retains the IP address 192.168.2.129. Hence, the network layer address will not be broken.
  • Fig. 8 shows a wireless communications system in a form similar to Fig. 3. Like elements are shown with the same reference numerals. Fig. 8 will be described in conjunction with the block flow diagram of Figs. 9a and 9b. The principal difference is that the file server 40' (i.e. the protected resource) exists on a separate subnet to the AP.
  • the file server 40' i.e. the protected resource
  • Step 100 Assume that the internal wired network 20 is subnetted as 192.168.3.x (i.e. with netmask 255.255.255.0).
  • Step 102 Set up a PPTP server 40 , by the substeps of: - configure the protected Ethernet interface (on the protected network 20' where file server 40' is located) to IP address 192.168.3.1 with network mask 255.255.255.0 (step 104).
  • step 106 configure the other Ethernet interface to IP address 192.168.2.1 with network mask 255.255.255.0 (step 106) (i.e. no alias is required in this implementation).
  • step 108 configure PPTP server (step 108) to:
  • IP addresses of range 192.168.3.129-192.168.3.150 to PPTP clients (step 114).
  • Step 118 Configure DHCP server to give out IP addresses to wireless clients of the form, say 192.168.2.129 - 192.168.2.199.
  • Step 120 Install secure 802.11b AP 10, as described below.
  • Step 121 The wireless client 12 connects to the AP 10.
  • Step 122 The wireless client requests and obtains an IP address from the DHCP server 40. Here it is assumed the client obtains IP address 192.168.2.129.
  • Step 124 The wireless client 12 runs PPTP client to connect to PPTP server, by the substeps of: - wireless client configured to connect to a PPTP server with IP address 192.168.2.1 (step 126).
  • a new IP address 192.168.3.129 is obtained for its end of the PPTP tunnel (step 130).
  • Step 132 The data packets will then be tunneled through the secure PPTP tunnel.
  • Steps 134 and 136 As the wireless client roams from one AP to another, it reassociates itself with the new AP, but retains the IP address 192.168.2.129. Hence, the network layer address will not be broken.
  • Another implementation is based on using a pre-allocated IP address for each wireless client device where the IP address is already hard-coded in each wireless client device.
  • the network setup is similar to that of Figs. 6 and 8, except that DHCP services need not be run on the server in such an implementation.
  • Step 200 Assume that the internal wired network 20 is subnetted as 192.168.3.x (i.e. with netmask 255.255.255.0).
  • Step 202 Assume, for the sake of the example, that the wireless client device is pre-allocated a device address of 192.168.2.129.
  • Step 204 Set up a PPTP server 40, by the substeps of:
  • step 208 configures the other Ethernet interface to IP address 192.168.2.1 with network mask 255.255.255.0 (step 208) (i.e. this could be an alias IP address depending on whether protected resources are on the same network segment as the wired network of the AP).
  • step 210) configure PPTP server (step 210) to :
  • Step 220 Install secure 802.11b AP 10, as described below.
  • Step 222 The wireless client 12 connects to the AP 10.
  • Step 224 The wireless client 12 runs PPTP client to connect to PPTP server, by the substeps of:
  • - wireless client configured to connect to a PPTP server with IP address 192.168.2.1 (step 226).
  • a new IP address 192.168.3.129 is obtained for its end of the PPTP tunnel (step 230).
  • Step 232 The data packets will then be tunneled through the secure PPTP tunnel.
  • Steps 234 and 236 As the wireless client roams from one AP to another, it reassociates itself with the new AP, but retains the IP address 192.168.2.129. Hence, the network layer address will not be broken.
  • Packets received on wireless interface consists of 802.1 lb header + IP packet.
  • Step 140 Check, from the MAC layer header packet, that the packet is to be received by this AP for devices connected to the AP in either the wired or wireless network - if not, throw it away (step 142).
  • Step 144 Save the source and destination MAC address in 802.1 lb header.
  • Step 146 Strip away 802.1 lb header.
  • Step 148 Put IP packet through firewall in accordance with the following rules:
  • step 150 Is it DHCP packet (step 150)? If yes - go to step 156, if no - go to step 152.
  • step 152 Is it PPTP packet (step 152)? If yes - got to step 156 (these are encrypted packets).
  • step 154 throw it away (intruder packets will get thrown away here) (step 154).
  • Step 156 Add in appropriate header to IP packet in accordance with the following rules:
  • step 158) Is the destination address in the Ethernet network (step 158)? - If yes, add Ethernet header filled with the source and destination MAC address retrieved in step 144 (step 160).
  • the destination can be any resource supported on the Ethernet network, of which the file server 40' is but one instance.
  • step 162 Is the destination address in the wireless network (step 162)? - If yes, add 802.1 lb header filled with the source and destination MAC address retrieved in step 144 (step 164).
  • Step 168 Transmit packets on the appropriate interface.
  • Ethernet interface consists of Ethernet header + IP packet.
  • Step 170 Check, from the MAC layer header, that the packet is to be received by wireless clients associated with this AP - if not, throw it away (step 172).
  • Step 174 Save the source and destination MAC address in Ethernet header.
  • Step 176 Strip away Ethernet header.
  • Step 178 Put IP packet through firewall rules:
  • step 180 Is it a DHCP packet (step 180)? If yes - go to step 186, if no - go to step 182. - Is it a PPTP packet (step 182)? If yes - got to step 186 (these are encrypted packets).
  • step 184 throw it away (i.e. intruder packets will get thrown away here) (step 184).
  • Step 186 Add in 802.1 lb header to IP packet, the header will be filled with the source and destination MAC address retrieved in step 144.
  • Step 188 Transmit packet on wireless interface.
  • a transparent bridging firewall plus VPN connection will block unauthorized users from accessing the network through the wireless access point.
  • an AP is implemented to block all network layer packets except network layer address configuration and discovery (e.g. DHCP) packets and VPN packets.
  • network layer address configuration and discovery e.g. DHCP
  • users are free to roam transparently from access point to access point and the application will not have to reset during the roaming; for example, file transfers can continue seamlessly while the wireless client is moving from one AP to another AP.

Abstract

Methods and apparatus for providing client wireless device access to a network are described. The wireless device attains the ability to roam between wireless access points without needing to re-establish a network layer connection to the server. A wireless client device (12) connects with a secure access point (10). The access point (10) connects to a server (40) at the data link layer and has a firewall in place. The firewall passes only virtual private network data and network addressing data. The client obtains a network layer (IP) address, then, through the server ( 40), has a virtual private network connection established. As the client (12) moves from APl (10) to AP2 (10'), the data link layer connection is reestablished with AP2. However, the network layer connection is maintained, and hence the virtual private network connection is maintained. Seamless roaming is thereby supported together with a high level of security.

Description

SECURITY OF DATA THROUGH WIRELESS ACCESS POINTS SUPPORTING ROAMING
Field of the Invention
This invention relates to the field of wireless communications, and wireless access to the resources of wired networks. It relates particularly to the security of data transmitted through wireless access points that support roaming of wireless devices.
Background of the Invention
Wireless communications is a burgeoning field. Personal computers, laptops, personal digital assistants, telephones and remote control devices are but a few of the types of device that are being used in a wireless environment.
In office and, to a lesser extent, home environments, such devices are supported by wireless Local Area Networks (LANs). A contemporary international Standard for wireless LANs is IEEE 802.1 lb. In the 802.1 lb Standard, wireless client stations (STA) connect to the access points (AP) to access services in the wired backbone. Access points are essentially STAs that provides access to the distribution systems (DS, or more commonly known as the wired LAN, such as Ethernet). This Standard thus provides a similar set of services offered by a physical Ethernet point but at the wireless level. Together with this, the Standard also defines an Extended Service Set (ESS) to allow multiple LAN to form a single virtual AP.
The advantage of wireless LAN systems is that a user enjoys the benefits of Ethernet while at the same time is free to roam within the serviced area. The approximate wired equivalent of this scenario is a user being able to move about and plug his Ethernet cable into any available network point.
However, the wireless LAN environment also presents new security issues that need to be addressed. Unlike wired LAN systems, wireless LAN systems do not recognize physical wall boundaries. In a wired LAN system, an outsider cannot easily gain access to the internal network because of the physical security available (e.g. walls and security guards). However, outsiders can easily access wireless LAN systems since walls do not block the passage of radio frequency (RF) signals of wireless LAN systems to the outside world. Because of this, the IEEE 802.11 Standards Committee also defined an optional Standard called Wireless Equivalent Privacy (WEP) to provide data confidentiality for a 802.11 wireless LAN system. The problem is that WEP is weak and can be easily broken. Another problem with WEP is that its integrity is difficult to maintain because it is based on a shared secret key system; it is easy for one person to keep a secret, but it is not practical for a company with hundreds of employees to try to keep a secret.
One known solution to the security problem is to implement a firewall router at APs. The idea is to limit the number of services offered to wireless LAN users. The wireless LAN users can only access a wider range of services by creating a virtual private network (NPN) by tunneling a VPN protocol through this wireless firewall router. The VPN solves the problem of privacy and confidentiality, as an outsider who attempts to gain access to the wireless LAN systems will be blocked at the firewall. Also, any attempts to 'sniff or eavesdrop on the data packets will be frustrated, as these packets will be encrypted within the NPN tunnel.
Examples of known VPN solutions include Point-to-Point Tunneling Protocol (PPTP) and IPSec, which interface to TCP/IP (i.e. at the network layer). Many Windows™ operating systems have built-in PPTP clients.
The problem with a firewall router AP solution, however, is that the users will no longer enjoy seamless roaming over the wireless LAN system. A firewall router operates at the network layer (or the IP layer in the case of the TCP/IP standard). When the user moves out of the range of one AP to another AP they will need to reconnect because the network layer address (e.g. IP address) will have changed. Typical firewall implementations that are available from open sources (freeware) are Linux™, FreeBSD and OpenBSD. These implementations work by filtering network layer packets. They are also capable of stateful inspection of VPN packets such as PPTP and IPSec.
The present invention is directed to overcoming the problem of security of data and, at the same time, avoiding the deficiency of the firewall router approach so far as roaming is not possible.
Summary of the Invention
Therefore, the invention discloses a method for establishing data access for a wireless device to a wired network resource via a wireless access point, comprising the steps of: establishing a firewall, at or above the data link layer, in said access point to pass only virtual private network data packets; connecting the wireless device to a server on said wired network via said access point at the data link layer; allocating a network layer address to the wireless device; and establishing a virtual private network connection between the wireless device and the server, via the access point bridging packets between the wireless device and the server, above the network layer, for data access to a network resource.
The invention further discloses a method for providing a wireless device with roaming data access to a wired network resource via wireless access points, the method comprising the steps of: establishing a firewall, at or above the data link layer, in said access points to pass only virtual private network data packets; connecting the wireless device to a server on the wired network via a said access point at the data link layer; allocating a network layer address to the wireless device; and establishing a virtual private network connection between the wireless device and the server above the network layer, via the access point bridging data packets between the wireless device and the server, for data access to a network resource; and wherein, upon the wireless device roaming to another access point, the method comprises the further steps of: connecting the wireless device to said server via said other access point at the data link layer, the wireless device retaining the currently allocated network layer address and the virtual private network layer connection; and continuing data access to a network resource by said virtual private network connection via said other access point.
The invention yet further discloses an access point for a wireless communications network supporting roaming, in which wireless devices connect via said access point with a server on a wired network to access a network resource, the access point comprising: a wireless transceiver for communications with a wireless device; a wired network interface for communications with a server; and a processor, interfacing between said transceiver and said network interface, and being programmed to connect a wireless device to the wired network at the data link layer by bridging packets between the wireless and wired network, and to implement a firewall which operates to pass only virtual private network data packets existing above the data link layer.
The invention yet further discloses a wireless network in which a wireless client device can connect to a server on a wired network to access network resources by one of a plurality of access points, and roam between said access points while maintaining network connection with the server, the network comprising: a said wireless client device; a plurality of said access points, each implementing a firewall which operates to pass only virtual private network data packets existing above the data link layer; and a said server supporting a virtual private network and network addressing; and wherein said wireless client device connects to said server via a said access point at the data link layer, said server allocates a network layer address to the wireless client device and the wireless client device establishes a said virtual private network connection with the server above the network layer, via the access point bridging data packets between the wireless client device and the server, for data access; and further wherein, upon the wireless device roaming to another access point, the wireless device connects to said server via said other access point at the data link layer, and retains the currently allocated network layer address and the virtual private network layer connection, and continues data access to a network resource by said virtual private network connection via said other access point.
Brief Description of the Drawings
In the accompanying drawings:
Fig.1 is a schematic black diagram of a wireless access point;
Fig. 2 shows a typical wireless LAN data packet format;
Fig. 3 is a schematic black diagram of a physical wireless network;
Fig. 4 is a logical network diagram; Fig. 5 is a wireless access layer model embodying the invention;
Fig. 6 is a schematic block diagram, similar to Fig. 3, showing one implementation;
Figs. 7a and 7b are block flow diagrams relating to Fig. 6;
Fig. 8 is a schematic block diagram, also similar to Fig. 3, showing another implementation;
Figs. 9a and 9b are block flow diagrams relating to Fig. 8;
Figs. 10a and 10b are block flow diagrams relating to a pre-allocated IP addressing regime; and
Figs. 11a and 1 lb are block flow diagrams relating to the processing of packets at a wireless access point.
Detailed Description and Best Mode Embodiments of a wireless access points, a wireless communications network, firewall router and method for providing data access to a wireless access point will be described.
In this description, reference to a "firewall" or "firewall software" is to be understood in the widest context. It includes the meaning of a mechanism to pass only wanted data packets in accordance with established rules. Reference to a "virtual private network" (NPN) similarly takes the broadest meaning, and includes a secure architecture that authenticates an authorised user and enables secure data exchange through the use of encryption. A reference to "bridging software" includes an electrical and low level functional interface between the wireless domain and the wired domain. Where reference is made to " computer program" or "programmed", this is to be understood as including equivalent implementations such as ASICs which perform the same functionality.
Wireless Access Point
Fig. 1 shows the block diagram of a typical wireless access point 10 (e.g. providing an IEEE 802.1 lb AP). A wireless client 12 connects to the wireless access point 10 via a wireless chip/card 14 therewithin. The CPU 16 receives a data packet 30 from the wireless client 12 which typically is of the format shown in Fig. 2, and communicates via a network chip 18 with the network bus 20. The data packet 30 contains a MAC layer header 32, a Network layer header 34, a Transport layer header 36 and a payload 38. The wireless chip/card 14 and the network chip 18 perform the physical layer interfacing functions in a conventional manner. The CPU 16 functionality in providing security and supporting roaming will be described below.
Wireless Communications System
Fig. 3 is at a functional level, and concerns the implementation of a transparent firewall bridge 50 (i.e. within the CPU 16 of Fig. 1). It shows the wireless client device 12 connecting to API, one of a number of wireless access points 10, 10', 10", to gain access to the VPN server 40. The client device 12 has the capability to roam from API to AP2 and AP3 and still attain connection to the intranet resources 42 via a secured NPN tunnel. Fig. 4 shows the corresponding logic network diagram, where the VPN tunnel is indicated by reference numeral 44.
Layer Model
Referring now to Fig. 5, the method of connection will be described. If it is a new session of the client with the VPN server 40, then a set-up takes place. Bridging and firewall software 50, resident in the access point CPU 16, is provided. The firewall software is configured to pass only virtual private network data and, depending upon the form of addressing (i.e. pre-allocated or dynamic), network addressing configuration data. The bridging software transfers packets between the wireless and wired domains, operating at the data link layer. In the set up (or establishment) operation, the client 12 connects to the access point 10 at the data link and physical layers by way of the wireless protocol. The client 12 then obtains (i.e. is issued with) a network layer address by traditional means - in the TCP/IP standards this address can be a predetermined fixed IP address or by some automatic process like DHCP (Dynamic Host Control Protocol). The server 40 also establishes a VPN connection with the client 12. The set up is now complete, and the client is able to access intranet resources 42 via the VPN server 40 (as shown in Fig. 4) with the security offered by a tunneled VPN (situated above the network layer). Communications may take place in a secure manner in that only NPN packets are passed by the AP 10.
As the client moves from API (10) to AP2 (10'), the physical and data link layer connections are re-established with AP2. However, the network layer connection is not broken, as the client 12 retains its network layer address. Hence, any application using the NPN connection during roaming does not need to re- establish the network layer connection. This means that any file transfer can continue to take place while the client roams from API (10) to AP2 (10'). The NPN connection exists above the (maintained) network layer meaning that the connection remains established notwithstanding the client 12 having roamed to another AP. First Specific Implementation
Fig. 6 shows a wireless communications system in a form similar to Fig. 3. Like elements are shown with the same reference numerals. The file server 40' is the protected resource. There can, of course, be many other such protected resources on the Ethernet 20. The server 40 thus acts much as a gateway, in that it does not itself hold the resources being sought by the wireless device. Fig. 6 will be described in conjunction with the block flow diagram of Figs. 7a and 7b.
The steps of implementing the secure wireless system are as follows, firstly with reference to Fig. 7a:
Step 60. Assume that the internal wired network 20 is subnetted as 192.168.3.x (i.e. with netmask 255.255.255.0).
Group Step 62. Set up a PPTP server 40 (e.g. using the known techniques described above). This involves the sub-steps as follows:
- configure the Ethernet interface to IP address 192.168.3.1 with network mask 255.255.255.0 (step 64).
- configure the same Ethernet interface to an alias IP address 192.168.2.1 with network mask 255.255.255.0 (step 66) (i.e. the alias address is needed to support the subsequent VPN tunneled addressing).
- configure the PPTP server (group step 68) to: - allow user A with password <P> to login to network (step 70).
- Its end of the PPTP tunnel is set to be 192.168.3.128 (step 72).
- give out IP addresses of range 192.168.3.129-192.168.3.150 to PPTP clients (step 74).
- perform proxy ARP for PPTP clients (step 76).
Step 78. Set up the DHCP server 40 to give out IP addresses to wireless clients of the form, say 192.168.2.129 - 192.168.2.199. Step 80. Install secure 802.1 lb AP 10. This specific implementation will be described in greater detail below.
Now with reference to Fig. 7b:
Step 81. The wireless client 12 connects to the AP 10.
Step 82. The wireless client requests and obtains an IP address from the DHCP server 40. Here it is assumed the client obtains IP address 192.168.2.129.
Step 84. The wireless client 12 runs PPTP client software to connect to PPTP server 40, by the substeps of:
- the wireless client 12 is configured to connect to a PPTP server with IP address 192.168.2.1 (step 86). - logs in as user A with password <P> (step 88).
- after successful login, a new IP address 192.168.3.129 is obtained for its end of the PPTP tunnel (step 90).
Step 92. Data packets will then be tunneled through the secure PPTP tunnel.
Steps 94 and 96. As the wireless client 12 roams from one AP to another, it reassociates itself with the new AP, but retains the IP address 192.168.2.129. Hence, the network layer address will not be broken.
Second Specific Implementation
Fig. 8 shows a wireless communications system in a form similar to Fig. 3. Like elements are shown with the same reference numerals. Fig. 8 will be described in conjunction with the block flow diagram of Figs. 9a and 9b. The principal difference is that the file server 40' (i.e. the protected resource) exists on a separate subnet to the AP.
The steps to implementing the secure wireless system are as follows: Step 100. Assume that the internal wired network 20 is subnetted as 192.168.3.x (i.e. with netmask 255.255.255.0).
Step 102. Set up a PPTP server 40 , by the substeps of: - configure the protected Ethernet interface (on the protected network 20' where file server 40' is located) to IP address 192.168.3.1 with network mask 255.255.255.0 (step 104).
- configure the other Ethernet interface to IP address 192.168.2.1 with network mask 255.255.255.0 (step 106) (i.e. no alias is required in this implementation).
- configure PPTP server (step 108) to:
- allow user A with password <P> to login to network (step 110).
- Its end of the PPTP tunnel to be 192.168.3.128 (step 112).
- give out IP addresses of range 192.168.3.129-192.168.3.150 to PPTP clients (step 114).
- perform proxy ARP for PPTP clients (step 116).
Step 118. Configure DHCP server to give out IP addresses to wireless clients of the form, say 192.168.2.129 - 192.168.2.199.
Step 120. Install secure 802.11b AP 10, as described below.
With reference to Fig. 9b:
Step 121. The wireless client 12 connects to the AP 10.
Step 122. The wireless client requests and obtains an IP address from the DHCP server 40. Here it is assumed the client obtains IP address 192.168.2.129.
Step 124. The wireless client 12 runs PPTP client to connect to PPTP server, by the substeps of: - wireless client configured to connect to a PPTP server with IP address 192.168.2.1 (step 126).
- log in as user A with password <P> (step 128).
- after successful login, a new IP address 192.168.3.129 is obtained for its end of the PPTP tunnel (step 130).
Step 132. The data packets will then be tunneled through the secure PPTP tunnel.
Steps 134 and 136. As the wireless client roams from one AP to another, it reassociates itself with the new AP, but retains the IP address 192.168.2.129. Hence, the network layer address will not be broken.
Third Specific Implementation
Another implementation is based on using a pre-allocated IP address for each wireless client device where the IP address is already hard-coded in each wireless client device. The network setup is similar to that of Figs. 6 and 8, except that DHCP services need not be run on the server in such an implementation.
There could be other instances where some wireless client devices use pre- allocated IP addresses and other wireless client devices use dynamic IP addressing (i.e. a mixed addressing scheme). In such environments, the implementation will be a dynamic IP addressing-only environment.
With reference to Figs. 10a and 10b, the steps to implementing the secure wireless system are as follows:
Step 200. Assume that the internal wired network 20 is subnetted as 192.168.3.x (i.e. with netmask 255.255.255.0).
Step 202. Assume, for the sake of the example, that the wireless client device is pre-allocated a device address of 192.168.2.129. Step 204. Set up a PPTP server 40, by the substeps of:
- configure the protected Ethernet interface (on the protected network 20' where file server 40' is located) to IP address 192.168.3.1 with network mask 255.255.255.0 (step 206).
- configure the other Ethernet interface to IP address 192.168.2.1 with network mask 255.255.255.0 (step 208) (i.e. this could be an alias IP address depending on whether protected resources are on the same network segment as the wired network of the AP). - configure PPTP server (step 210) to :
- allow user A with password <P> to login to network (step 212).
- Its end of the PPTP tunnel to be 192.168.3.128 (step 214).
- give out IP addresses of range 192.168.3.129-192.168.3.150 to PPTP clients (step 216). - perform proxy ARP for PPTP clients (step 218).
Step 220. Install secure 802.11b AP 10, as described below.
Step 222. The wireless client 12 connects to the AP 10.
Step 224. The wireless client 12 runs PPTP client to connect to PPTP server, by the substeps of:
- wireless client configured to connect to a PPTP server with IP address 192.168.2.1 (step 226). - log in as user A with password <P> (step 228).
- after successful login, a new IP address 192.168.3.129 is obtained for its end of the PPTP tunnel (step 230).
Step 232. The data packets will then be tunneled through the secure PPTP tunnel.
Steps 234 and 236. As the wireless client roams from one AP to another, it reassociates itself with the new AP, but retains the IP address 192.168.2.129. Hence, the network layer address will not be broken. Common Processing of Packets at Access Points
This is the common processing of installing a secure 802.1 lb AP, that occurs for the implementations described above, in respective steps 80, 120 and 220.
For packets received from the wireless interface. Packets received on wireless interface consists of 802.1 lb header + IP packet. With reference to Fig. 11a:
Step 140. Check, from the MAC layer header packet, that the packet is to be received by this AP for devices connected to the AP in either the wired or wireless network - if not, throw it away (step 142).
Step 144. Save the source and destination MAC address in 802.1 lb header.
Step 146. Strip away 802.1 lb header.
Step 148. Put IP packet through firewall in accordance with the following rules:
- [N.B. this step is not required if pre-allocated IP addresses are used for the wireless client devices] Is it DHCP packet (step 150)? If yes - go to step 156, if no - go to step 152.
- Is it PPTP packet (step 152)? If yes - got to step 156 (these are encrypted packets).
- Else, throw it away (intruder packets will get thrown away here) (step 154).
Step 156. Add in appropriate header to IP packet in accordance with the following rules:
- Is the destination address in the Ethernet network (step 158)? - If yes, add Ethernet header filled with the source and destination MAC address retrieved in step 144 (step 160). The destination can be any resource supported on the Ethernet network, of which the file server 40' is but one instance.
- Is the destination address in the wireless network (step 162)? - If yes, add 802.1 lb header filled with the source and destination MAC address retrieved in step 144 (step 164).
- Else, throw it away (step 166).
Step 168. Transmit packets on the appropriate interface.
For packets received from the Ethernet interface. Packets received on
Ethernet interface consists of Ethernet header + IP packet. With reference to Fig. l ib:
Step 170. Check, from the MAC layer header, that the packet is to be received by wireless clients associated with this AP - if not, throw it away (step 172).
Step 174. Save the source and destination MAC address in Ethernet header.
Step 176. Strip away Ethernet header.
Step 178. Put IP packet through firewall rules:
- [N.B. this step is not required if pre-allocated IP addresses are used for the wireless client devices] Is it a DHCP packet (step 180)? If yes - go to step 186, if no - go to step 182. - Is it a PPTP packet (step 182)? If yes - got to step 186 (these are encrypted packets).
- Else, throw it away (i.e. intruder packets will get thrown away here) (step 184).
Step 186. Add in 802.1 lb header to IP packet, the header will be filled with the source and destination MAC address retrieved in step 144.
Step 188. Transmit packet on wireless interface. These implementations demonstrate that the intruder can only have access to:
1. DHCP packets - this is of little use as it only shows the IP addresses that the DHCP server gives out to the client. [That is, they are only visible if pre-allocated IP addresses are not used]
2. PPTP packets - these are encrypted - again, there is little useful that can be derived from the packets.
The embodiments described, of a transparent bridging firewall plus VPN connection, will block unauthorized users from accessing the network through the wireless access point. Put another way, an AP is implemented to block all network layer packets except network layer address configuration and discovery (e.g. DHCP) packets and VPN packets. At the same time, users are free to roam transparently from access point to access point and the application will not have to reset during the roaming; for example, file transfers can continue seamlessly while the wireless client is moving from one AP to another AP.

Claims

Claims:
1. A method for establishing data access for a wireless device to a wired network resource via a wireless access point, comprising the steps of: establishing a firewall, at or above the data link layer, in said access point to pass only virtual private network data; connecting the wireless device to a server on said wired network via said access point at the data link layer; allocating a network layer address to the wireless device; and establishing a virtual private network connection between the wireless device and the server, via the access point, bridging packets between the wireless device and the server, above the network layer, for data access to a network resource.
2. The method of claim 1, wherein the step of establishing a firewall further includes passing network addressing configuration data packets, and the step of allocating a network layer address is performed dynamically.
3. The method of claim 2, wherein said virtual private network addressing includes an alias address if said requested resource resides on a common part of the wired network, or one or more separate addresses if said requested resource resides on one or more protected subnets.
4. The method of claim 1, wherein the step of allocating a network layer address is performed by way of a pre-allocated address hard-coded in the wireless device.
5. The method of any one of claims 1 to 4, wherein operation of said firewall performs the steps of: stripping data packet headers, and determining whether the stripped packet is of a data packet type to be passed.
6. The method of claim 5, wherein in the VPN connection, the bridging then adds an appropriate interface header based on the original header destination MAC layer address.
7. A method for providing a wireless device with roaming data access to a wired network resource via wireless access points, the method comprising the steps of: establishing a firewall, at or above the data link layer, in said access points to pass only virtual private network data packets; connecting the wireless device to a server on the wired network via a said access point at the data link layer; allocating a network layer address to the wireless device; and establishing a virtual private network connection between the wireless device and the server, above the network layer, via the access point bridging data packets between the wireless device and the server, for data access to a network resource; and wherein, upon the wireless device roaming to another access point, the method comprises the further steps of: connecting the wireless device to said server via said other access point at the data link layer, the wireless device retaining the currently allocated network layer address and the virtual private network layer connection; and continuing data access to a network resource by said virtual private network connection via said other access point.
8. The method of claim 7, wherein the step of establishing a firewall further includes passing network addressing configuration data packets, and the step of allocating a network layer address is performed dynamically.
9. The method of claim 8, wherein said virtual private network addressing includes an alias address if said requested resource resides on a common part of the wired network, or one or more separate addresses if said requested resource resides on one or more protected subnets.
10. The method of claim 7, wherein the step of allocating a network layer address is performed by way of a pre-allocated address hard-coded in the wireless device.
11. The method of any one of claims 7 to 10, wherein operation of said firewall performs the steps of: stripping data packet headers, and determining whether the stripped packet is of a data packet type to be passed.
12. The method of claim 11 , wherein in the VPN connection, the bridging then adds an appropriate interface header based on the original header destination MAC layer address.
13. An access point for a wireless communications network supporting roaming, in which wireless devices connect via said access point with a server on a wired network to access a network resource, the access point comprising: a wireless transceiver for communications with a wireless device; a wired network interface for communications with a server; and a processor, interfacing between said transceiver and said network interface, and being programmed to connect a wireless device to the wired network at the data link layer by bridging packets between the wireless and wired network, and to implement a firewall which operates to pass only virtual private network data packets existing above the data link layer.
14. The access point of claim 13, wherein the firewall further passes network addressing configuration data packets if the network layer address is to be assigned dynamically to wireless clients.
15. The access point of claim 14, wherein said virtual private network addressing includes an alias address if said requested resource resides on a common part of the wired network, or one or more separate addresses if said requested resource resides on one or more protected subnets.
16. The access point of claim 13, wherein the processor allocates a network layer address as a pre-allocated address.
17. The access point of any one of claims 13 to 16, wherein said firewall strips data packet headers, and determines whether the stripped packet is of a data packet type to be passed.
18. The access point of claim 17, wherein in the VPN connection, the bridging then adds an appropriate interface header based on the original header destination MAC layer address.
19. A wireless network in which a wireless device can connect to a server on a wired network to access network resources by one of a plurality of access points, and roam between said access points while maintaining network connection with the server, the network comprising: a said client device; a plurality of said access points, each implementing a firewall which operates to pass only virtual private network data packets and network addressing configuration data packets existing above the data link layer; and a said server supporting a virtual private network and network addressing; and wherein said wireless device connects to said server via a said access point at the data link layer, said server allocates a network layer address to the wireless device and establishes a said virtual private network connection between the wireless device and the server above the network layer, via the access point bridging data packets between the wireless device and the server, for data access; and further wherein, upon the wireless device roaming to another access point, the wireless device connects to said server via said other access point at the data link layer, and retains the currently allocated network layer address and the virtual private network layer connection, and continues data access to a network resource by said virtual private network connection via said other access point.
20. The wireless network of claim 19, wherein the firewall further passes network addressing configuration data packets, and allocates a network layer address dynamically.
21. The wireless network of claim 20, wherein said virtual private network addressing includes an alias address if said requested resource resides on a common part of the wired network, or one or more separate addresses if said requested resource resides on one or more protected subnets.
22. The wireless network of claim 19, wherein said client device is hard-coded with a pre-allocated network layer address.
23. The wireless network of any one of claims 19 to 22, wherein said firewall strips data packet headers, and determines whether the stripped packet is of a data packet type to be passed.
24. The wireless network of claim 23, wherein in the VPN connection, the bridging then adds an appropriate interface header based on the original header destination MAC layer address.
PCT/SG2002/000223 2001-10-12 2002-09-27 Security of data through wireless access points supporting roaming WO2003045034A1 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
AU2002339830A AU2002339830A1 (en) 2001-10-12 2002-09-27 Security of data through wireless access points supporting roaming

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
SG200106319 2001-10-12
SG200106319-7 2001-10-12

Publications (1)

Publication Number Publication Date
WO2003045034A1 true WO2003045034A1 (en) 2003-05-30

Family

ID=20430846

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/SG2002/000223 WO2003045034A1 (en) 2001-10-12 2002-09-27 Security of data through wireless access points supporting roaming

Country Status (2)

Country Link
AU (1) AU2002339830A1 (en)
WO (1) WO2003045034A1 (en)

Cited By (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2005022838A1 (en) * 2003-08-29 2005-03-10 Nokia Corporation Personal remote firewall
WO2005025144A2 (en) * 2003-09-05 2005-03-17 Bergs Magnus H Method, system, corresponding computer program and computer-readable storage medium for access to data and/or communication networks via wireless access points and method for operating said system
WO2005083938A1 (en) * 2004-02-20 2005-09-09 Nokia Corporation System, method and computer program product for accessing at least one virtual private network
EP1587250A1 (en) * 2004-04-14 2005-10-19 AboCom Systems, Inc. VPN accelerator card for secure roaming
EP1589719A1 (en) * 2004-03-04 2005-10-26 AT&T Corp. Method and apparatus for enabling IP mobility with high speed access and network intelligence in communication networks
US7792072B2 (en) 2004-12-13 2010-09-07 Nokia Inc. Methods and systems for connecting mobile nodes to private networks
WO2020081578A1 (en) * 2018-10-16 2020-04-23 Hook'd WiFi Inc. Wireless access point using stacked antennas
US11183773B2 (en) 2018-10-16 2021-11-23 Hook'd WiFi Inc. Configurable communication system using stacked antennas
US11239570B2 (en) 2018-10-16 2022-02-01 Hook'd WiFi Inc. Wireless communications system with scalable architecture

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP0912017A2 (en) * 1997-10-14 1999-04-28 Lucent Technologies Inc. In sequence delivery of messages
US6061346A (en) * 1997-01-17 2000-05-09 Telefonaktiebolaget Lm Ericsson (Publ) Secure access method, and associated apparatus, for accessing a private IP network
WO2001041475A1 (en) * 1999-11-30 2001-06-07 Motorola Inc. Cellular radio communication system
US20010009025A1 (en) * 2000-01-18 2001-07-19 Ahonen Pasi Matti Kalevi Virtual private networks

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6061346A (en) * 1997-01-17 2000-05-09 Telefonaktiebolaget Lm Ericsson (Publ) Secure access method, and associated apparatus, for accessing a private IP network
EP0912017A2 (en) * 1997-10-14 1999-04-28 Lucent Technologies Inc. In sequence delivery of messages
WO2001041475A1 (en) * 1999-11-30 2001-06-07 Motorola Inc. Cellular radio communication system
US20010009025A1 (en) * 2000-01-18 2001-07-19 Ahonen Pasi Matti Kalevi Virtual private networks

Non-Patent Citations (3)

* Cited by examiner, † Cited by third party
Title
LEMILDINEN J ET AL: "IP telephony GSM interworking", GLOBAL TELECOMMUNICATIONS CONFERENCE 1999, vol. 5, 1999, pages 2709 - 2713, XP010373442 *
MONTENEGRO G ET AL: "RFC 2356 Sun's SKIP Firewall Traversal for Mobile IP", NETWORK WORKING GROUP IETF, June 1998 (1998-06-01), XP002171034 *
PERKINS C: "Request for Comments: 2002, IP Mobility Support", NETWORK WORKING GROUP IETF, October 1996 (1996-10-01), XP002222715 *

Cited By (17)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2005022838A1 (en) * 2003-08-29 2005-03-10 Nokia Corporation Personal remote firewall
US7734647B2 (en) 2003-08-29 2010-06-08 Nokia Corporation Personal remote firewall
CN100456729C (en) * 2003-08-29 2009-01-28 诺基亚公司 Personal remote firewall
WO2005025144A3 (en) * 2003-09-05 2005-12-15 Magnus H Bergs Method, system, corresponding computer program and computer-readable storage medium for access to data and/or communication networks via wireless access points and method for operating said system
WO2005025144A2 (en) * 2003-09-05 2005-03-17 Bergs Magnus H Method, system, corresponding computer program and computer-readable storage medium for access to data and/or communication networks via wireless access points and method for operating said system
US10375023B2 (en) 2004-02-20 2019-08-06 Nokia Technologies Oy System, method and computer program product for accessing at least one virtual private network
CN1943172B (en) * 2004-02-20 2010-09-29 诺基亚公司 System and method for accessing at least one virtual private network
WO2005083938A1 (en) * 2004-02-20 2005-09-09 Nokia Corporation System, method and computer program product for accessing at least one virtual private network
US11258765B2 (en) 2004-02-20 2022-02-22 Nokia Technologies Oy System, method and computer program product for accessing at least one virtual private network
EP1589719A1 (en) * 2004-03-04 2005-10-26 AT&T Corp. Method and apparatus for enabling IP mobility with high speed access and network intelligence in communication networks
US7715340B2 (en) 2004-03-04 2010-05-11 At&T Corp. Method and apparatus for enabling IP mobility with high speed access and network intelligence in communication networks
US8547902B2 (en) 2004-03-04 2013-10-01 At&T Intellectual Property Ii, L.P. Method and apparatus for enabling IP mobility with high speed access and network intelligence in communication networks
EP1587250A1 (en) * 2004-04-14 2005-10-19 AboCom Systems, Inc. VPN accelerator card for secure roaming
US7792072B2 (en) 2004-12-13 2010-09-07 Nokia Inc. Methods and systems for connecting mobile nodes to private networks
WO2020081578A1 (en) * 2018-10-16 2020-04-23 Hook'd WiFi Inc. Wireless access point using stacked antennas
US11183773B2 (en) 2018-10-16 2021-11-23 Hook'd WiFi Inc. Configurable communication system using stacked antennas
US11239570B2 (en) 2018-10-16 2022-02-01 Hook'd WiFi Inc. Wireless communications system with scalable architecture

Also Published As

Publication number Publication date
AU2002339830A1 (en) 2003-06-10

Similar Documents

Publication Publication Date Title
US6970459B1 (en) Mobile virtual network system and method
EP1689206B1 (en) Wireless network having multiple security zones
RU2518186C2 (en) Handling local direct connection traffic in home base station
EP1523129B1 (en) Method and apparatus for access control of a wireless terminal device in a communications network
EP3459318B1 (en) Using wlan connectivity of a wireless device
US7685295B2 (en) Wireless local area communication network system and method
EP1878169B1 (en) Operator shop selection in broadband access related application
KR100967749B1 (en) Address management method, address management system, mobile terminal and home domain server
US20020136226A1 (en) Methods and systems for enabling seamless roaming of mobile devices among wireless networks
US7929528B2 (en) System and method to support networking functions for mobile hosts that access multiple networks
US8838752B2 (en) Enterprise wireless local area network switching system
JP4064824B2 (en) Hybrid network
US7882247B2 (en) Method and apparatus for providing secure connectivity in mobile and other intermittent computing environments
FI122050B (en) Wireless local area network, adapter unit and facility
US20060088020A1 (en) Restricted WLAN profile for unknown wireless terminal
US20060015714A1 (en) Authentication system, network line concentrator, authentication method and authentication program
WO2002009458A2 (en) Method and system for enabling seamless roaming in a wireless network
EP2601815A1 (en) Network initiated alerts to devices using a local connection
US7516174B1 (en) Wireless network security mechanism including reverse network address translation
WO2003045034A1 (en) Security of data through wireless access points supporting roaming
US20050083883A1 (en) Mobile network agent
KR20030064100A (en) Wireless local area network access point using public computer device and method for emboding the same
López et al. Network Setup and Usage
AU2002255892A1 (en) Methods and systems for enabling seamless roaming of mobile devices among wireless networks
CA2462730A1 (en) Wireless local area communication network system and method

Legal Events

Date Code Title Description
AK Designated states

Kind code of ref document: A1

Designated state(s): AE AG AL AM AT AU AZ BA BB BG BR BY BZ CA CH CN CO CR CU CZ DE DK DM DZ EC EE ES FI GB GD GE GH GM HR HU ID IL IN IS JP KE KG KP KR KZ LC LK LR LS LT LU LV MA MD MG MK MN MW MX MZ NO NZ OM PH PL PT RO RU SD SE SG SI SK SL TJ TM TN TR TT TZ UA UG US UZ VC VN YU ZA ZM ZW

AL Designated countries for regional patents

Kind code of ref document: A1

Designated state(s): GH GM KE LS MW MZ SD SL SZ TZ UG ZM ZW AM AZ BY KG KZ MD RU TJ TM AT BE BG CH CY CZ DE DK EE ES FI FR GB GR IE IT LU MC NL PT SE SK TR BF BJ CF CG CI CM GA GN GQ GW ML MR NE SN TD TG

121 Ep: the epo has been informed by wipo that ep was designated in this application
32PN Ep: public notification in the ep bulletin as address of the adressee cannot be established

Free format text: NOTING OF LOSS OF RIGHTS PURSUANT TO RULE 69(1) EPC (EPO FORM 1205A DATED 25.06.2004).

122 Ep: pct application non-entry in european phase
NENP Non-entry into the national phase

Ref country code: JP

WWW Wipo information: withdrawn in national office

Country of ref document: JP