The Columbitech WAP Connector integrates a WAP stack into a standard web server, such as Microsoft IIS. This allows WAP gateway technology to be used without the need to move applications from existing server platforms.
Columbitech WAP Connector furthermore provides end-to-end security for access to sensitive corporate data. It also includes normal WAP gateway functionality that provides access to public information on the Internet.
WAP SERVER VS. WAP GATEWAY
Normal web servers use the HTTP protocol to communicate with their clients. A WAP server uses the WAP protocols instead. This allows the WAP server to communicate directly with the WAP clients without going through a WAP gateway.
There are several advantages with a WAP server solution:
* End-to-end security
* Complete control of the WAP solution
* No need to operate a separate WAP gateway
A WAP Server is the only way to achieve true end-to-end security for WAP devices. Normally, a WAP gateway is used to translate between the WAP protocols and the HTTP protocol. In order to do this, the WAP gateway needs to terminate the encrypted and authenticated tunnel from the WAP client. After the WTLS-secured session is terminated in the WAP gateway, individual requests may be encrypted using SSL (Secure Sockets Layer) to and from the web server.
A common misconception is that it is possible to achieve end-to-end security by placing a WAP gateway in the corporate network. Although such a solution removes some of the security problems of an operator hosted WAP gateway, it is by no means secure. A few examples of the security problems with a corporate hosted WAP gateway are listed below.
Imagine a wireless banking application where the users are authenticated with client certificates. In a WAP server solution, the identity on the certificate could be used to verify that the client is authorized to perform the operation that is requested. However, if a WAP gateway is used, the identity on the certificate is hidden by the gateway. The application in the web server will only know that the user is allowed to pass through the WAP gateway, but not which accounts that he or she should have access to.
Another problem with corporate hosted WAP gateways is related to the internal security. A large majority of all computer crimes are committed by a corporate insider. A WAP gateway is vulnerable to many attacks, including so called man-in-the-middle attacks. In addition to eavesdropping on communication, stealing passwords and other information, a corporate insider may also bypass the WAP gateway altogether and attack the web server directly.
Most WAP gateways are designed to include support for all the options of the WAP standard. Unfortunately, some of the optional features drastically reduce the security offered by the WTLS layer. Moreover, there is no way for an application residing in the web server to detect which protocol options have been used for a specific WTLS connection, or indeed that WTLS has been used at all. This provides an opportunity for man-in-the-middle attacks or for eavesdropping.
COMPLETE CONTROL OF THE WAP SOLUTION
Some operators will require WAP access to go through their WAP portal, and may restrict access to certain content. Using Columbitech WAP Connector, the company has complete control of the WAP solution. The company may make its own policy decisions and has the ability to maintain control over the wireless access.