MOBILE PERSONAL FIREWALL
                                           Ying QIU, Jianying ZHOU, Feng BAO

                                               Institute for Infocomm Research
                                        21 Heng Mui Keng Terrace, Singapore 119613
                                         {qiuying, jyzhou, baofeng}

Abstract - More and more activities (such as, e-commerce,        In this paper, we introduce a new concept of mobile
e-learning, e-chat, etc.) rely on mobile devices. It is an im-   personal firewall to meet such a requirement in mobile
portant issue on how to protect mobile users engaged in mo-      networks. A concrete scheme is proposed. In the scheme,
bile services. Unfortunately, the conventional firewalls are     the Home Agent (HA) authorizes the Mobility Anchor Point
inappropriate for mobile networks because of the limited         (MAP) as the security proxy on behalf of the HA when the
computing and communication capabilities of mobile de-           mobile node (MN) visits the MAP subnet. When the HA
vices. Furthermore, with a conventional firewall, a guardian     negotiates with the correspondent node (CN) about the secu-
is not able to monitor/control dynamically the mobile node’s     rity association (SA) and shared keys, it also negotiates with
activities when the mobile node roams. In this paper, we         the MAP about security key and transfers to the MAP the
introduce a new concept of mobile personal firewall and          defined security rules for the MN. The security rules could
propose a concrete scheme that matches mobile environment        specify:
and exploits mobile network facilities. When a mobile node
                                                                        which correspondent sites the MN can access without
(MN) roams into a foreign network managed by a mobility
                                                                        limitation, e.g. school network, studying web sites;
anchor point (MAP), the home agent (HA) will authorize the
                                                                        which correspondent sites the MN can access but
MAP to serve as a security proxy. The HA will negotiate
                                                                        with time and/or data limitation, e.g. game sites,
with the MAP on the security association and then transfer
                                                                        movie sites, purchase sites;
to the MAP the defined security rules that will be applied on
                                                                        which correspondent sites the MN can access on spe-
all communications to the MN (via the MAP). The MAP
                                                                        cial occasions, e.g. world cup web sites;
could send the MN’s traffic logs to the HA. The MN’s guard-
                                                                        which correspondent sites the MN cannot access, e.g.
ian could dynamically monitor the MN’s activities by re-
                                                                        adult web sites or all sites but those specified above.
trieving the MN’s traffic logs through the HA. If necessary,
the MN’s guardian could update the security rules so that the    After receiving the security rules and the MN’s binding up-
MN’s activities could be controlled dynamically. All the         date message, the MAP creates an entry for the MN that
operations are transparent to the MN, and the MN will be         includes home address (HoA) as index, Regional Care-of-
served in the way specified by his guardian no matter where      Address (RCoA), On-Link Care-of-Address (LCoA), security
he roams.                                                        keys and the security rules, and adds it to the MAP’s access
                                                                 control cache. When the MN leaves the MAP, the MAP can
Keywords - Firewall, Mobile Network, MIPv6, Security.            delete this entry from the access control cache.
                                                                 When a packet routes through the MAP to the MN, the MAP
                                                                 will retrieve the MN’s entry and decide whether to forward
                    I. INTRODUCTION
                                                                 or to drop the packet.
The demand for mobile communication is growing
                                                                 Meanwhile, the MAP can send the MN’s traffic log to the
exponentially. In many countries, the number of wired
                                                                 HA at specified intervals. The parents or guardians can
phone users is currently well below that of mobile phone
                                                                 monitor the MN’s (i.e. child) activities by reviewing the
owners, and the function of a mobile phone is far beyond the
                                                                 MN’s traffic logs from a remote machine. If necessary, the
voice communication. There will be a huge market of
                                                                 parents can modify the security policy stored in the HA for
mobile e-commerce.
                                                                 the MN, then the HA sends the updated security rules to the
According to the analysis of “Mobile Commerce Report”            MAP. Afterwards, the MAP updates its access control cache
[1], teens are the primary target markets for m-commerce         automatically.
services. As teens are not independent in economy and must
                                                                 The operation is transparent to the MN (i.e. child). The MN
be guarded by their parents or guardians, a secure system is
                                                                 will be served in a way specified by his parents no matter
required to dynamically monitor and control the teens’
                                                                 where he roams.
activities on the Internet. Unfortunately, due to the
limitation of the framework, conventional firewall is not        Furthermore, before the MN could finally register with the
suitable for mobile networks.                                    MAP, the MAP should be authenticated by the HA. If the
MAP is a denied router on the HA’s access control list, the       In addition, the MN holds the third security association
HA could inform the MN to choose another nearby MAP.              cache for the MAP.

                                                                                    Table 1. An entry of trusted MAP cache
                 II. BASIC KNOWLEDGE                                                  MAP address      Accepted / Denied
In the HMIPv6 framework [3], the MAP is a router located
in a domain visited by mobile nodes. The MAP provides the         The trust MAP cache indicates which MAP the mobile node
localized mobility management for the visiting mobile             can or cannot register with. If the MAP submitted by MN is
nodes. Every MN bundles three addresses: HoA, RCoA and            not acceptable, the HA will inform MN to try other nearby
LCoA. For details, please refer to [3,5].                         MAPs. The trusted MAP cache is configured by the adminis-
                                                                  trator or children’s parents and kept in HA. Table 1 shows
The MAP functions like a Network Address Translating
                                                                  an entry in the trusted MAP cache.
(NAT) server [6]. If the MN sends the packets to its HA or
CNs, the source address of the packets would be set to
                                                                   Table 2. The content of an entry in the security rule cache
RCoA. On the contrary, when the MAP receives packets
with the destination address RCoA from the CN or the HA,

                                                                             Local       Remote
                                                                                                    Action    Life time    Restriction
the MAP tunnels the packets to the related LCoA. The CNs                    Address      Address
and HA always connect to the MN with its RCoA.                                            HA’s
                                                                             MN’s                   Accept      Any            All
In order to perform mutual authentication between the HA                                 Address
                                                                              HoA                                          Application
and the MAP, digital signature is used in our scheme. PH and                (at HA)       CN1’s     Pass /     Bytes /

                                                                                                                           protocols /
SH are the public/private key pair of MN’s HA. SH is kept by                             Address    Drop     Time / Both
                                                                               or                                             Ports
the HA in the home link, probably inside a tamper-resistant                   MN’s         …..       ….          ….            ….
cryptographic processing device. The home link obtains a                      RCoA                                         Application
                                                                                          CNn’s     Pass /     Bytes /
public-key certificate                                                      (at MAP)
                                                                                         Address    Drop     Time / Both
                                                                                                                           protocols /
          CertH = {HLSP, PH, Valid_Interval, SIGCA}
from a certification authority CA, where HLSP is the home
link subnet prefix. Valid_Interval is the valid duration of the   A home agent could serve a number of registered mobile
certificate, and SIGCA is the CA’s signature on HLSP, PH and      nodes, which we call local devices. Each local device could
Valid_Interval. The advantage on the use of HLSP is de-           be connected to several correspondent nodes, which we call
scribed in the CBU protocol [2]. Similarly, the MAP has its       remote devices. The connection between a local device and
own security suite, PMAP, SMAP and CertMAP.                       a remote device is called a channel. We can assign different
                                                                  security rules for every channel, which we call an entry of
Below is a list of the notations used throughout the paper:       security rules. Table 2 shows the content of an entry in the
   h()      a cryptographic secure one-way hash function,         security rule cache. The reason we emphasize the security
            or one-way hash function in short, such as MD5        rule for the channel between MN and its HA is to avoid the
            or SHA.                                               communication between them being blocked by MAP.
   prf(k, m) a keyed pseudo random function. It accepts a         We retrieve an entry of this security rule cache by both the
            secret key k and a message m, and generates a         MN’s local address and its remote address. The local address
            pseudo random output. This function is used for       is the MN’s home address. The remote address could be the
            both message authentication and cryptographic         CN’s static address with/without subnet mask or its domain
            key derivations.                                      name if the CN is a wired machine, or the CN’s home ad-
   e(k, m) encryption of message m with a secret key k.           dress if the CN is a mobile device.
   Sig(SX, m) digital signature on a message m by using a
            private key SX .                                      The item of “Action” specifies which operation will be per-
   PX /SX a public and private key pair of node X in a            formed on the packet between the local device and the re-
            digital signature public key crypto-system such       mote device. Pass Option: the firewall will be transparent to
            as RSA or DSS.                                        the packet between the MN and the CN; Drop Option: the
   m|n      concatenation of two messages m and n.                firewall will discourage the communication between the MN
                                                                  and the CN.

                  III. SECURITY TABLES                            The item of “Lifetime” indicates how long the communica-
                                                                  tion is allowed. It could be based on the transferred data, on
In our scheme, 6 cache tables will be established. The HA         the transferring time, or on both. It could even be specified
holds 3 cache tables: a trusted MAP cache, a security rule        for a special period of a day.
cache and a security association cache for MAP.
                                                                  The item of “Restriction” specifies which application proto-
The MAP holds 2 cache tables: another security rule cache,        cols or ports would be affected by the term of Action. The
and another security association cache for MN and HA.             security rule cache is configured by the administrator or
children’s parents and will be transferred to the MAP. Then            we have included a random number Ran in MREQ to counter
the MAP generates a copy of the security rule entry, and               message replay.
uses it to control the communication between the registered
                                                                          MN                          MAP                            HA
MN and its CN.
                                                                                                              MREQ - request
 Table 3. An entry of security association cache located in
          the home agent (HA) of a mobile node.                                  MDNY - deny

  MN’s HoA        MAP Address     RCoA         Encryption Key (kEN)                                           MHK - HA DH key (X)
                   Binding Update Key          Acknowledgement /
  Time Stamp
                          (kBU)                Request Key (kBA/R)
                                                                                                              MMK - MAP DH key (Y)

 Table 4. An entry of security association cache located in                                                   MHC - HA Certificate
             the mobile anchor point (MAP).
  MN’s           MN’s                            RSA Public Key of                                            MMC - MAP Certificate
                                MN’s LCoA
   HoA           RCoA                              MN’s HA (PH)
  Time         Encryption   Binding Update       Acknowledgement/                MSK - session keys
  Stamp         Key (kEN)      Key (kBU)         Request Key (kBA/R)
                                                                               MBU – binding update
 Table 5. An entry of security association cache located in
                                                                                 MBA – binding ack
                  the mobile node (MN)
   MAP         Binding Update      Acknowledgement /         Time
  Address         Key (kBU)        Request Key (kBA/R)       Stamp
                                                                                                            MLV - MN leaves MAP

The security association cache stores a series of keys for
secure communication. The entry of security association                   Fig. 1. Message exchange among MN, MAP and HA
caches located in the HA, the MAP and the MN are showed
in Tables 3, 4, 5, respectively. These security association            Upon receiving message MREQ, the HA will check whether
caches are generated automatically in the period of negotia-           the MAP is an acceptable router according to the HA’s own
tion.                                                                  trusted MAP cache. If the MAP is a denied router, then HA
                                                                       will send back a message
                 IV. NEGOTIATION PROCESS                                 MDNY = {Src=HA, Des=RCoA, HoA, MAP, Denial, Ran}
                                                                       to the MN. After receiving this message, the MN will select
Before building a channel between a mobile node and its
                                                                       another nearby MAP and resend message MREQ to HA.
correspondent node, the registering MAP must negotiate
                                                                       (Please refer to HMIPv6 [3] for choice of a proper MAP.)
with the home agent of the mobile node to generate a secu-
rity association, which includes Diffie-Hellman key pair for           If the MAP is acceptable, the HA generates a nonce N0 and a
both the MAP and the HA, secure session keys, etc.                     Diffie-Hellman secret value x < p, and computes its Diffie-
                                                                       Hellman public value X = gx mod p. Then, the HA sends the
The message exchange in our scheme is the extension of the
                                                                       MAP a message
Certificate-based Binding Update (CUB) protocol [2]. In our
scheme, the existence of the HA and the MAP is transparent                 MHK ={Src=HoA, Des=MAP, N0, X, p, g, Time_Stamp}
to the CN. In addition, the operations performed by the HA             where Time_Stamp is a time stamp. This time stamp has two
and the MAP are transparent to both the MN and the CN.                 functions. One of them is used to indicate how often to up-
Figure 1 shows the message exchange among the MN, the                  date the nonce N0. Another is used to trace back the culprit
MAP and the HA.                                                        should a malicious mobile node flooding attack have oc-
When a MN enters a MAP domain and informs its HA that it
would like to register under this MAP as a router, it sends a          Upon receiving message MHK, the MAP generates a nonce
route optimization request                                             N1 and a Diffie-Hellman secret value y < p, computes its
    MREQ = {Src=HoA, Des=HA, RCoA, MAP, Req, Ran}                      Diffie-Hellman public value Y = gy mod p, the Diffie-
                                                                       Hellman key k = Xy mod p and finally a master secret
to the HA via reserve tunnelling, where Req signals the start
of the protocol and Ran is a random number. Here MAP                                 master_secret = prf(k, N0|N1).
represents both the mobile anchor point and its IP address.            Meanwhile, the MAP also computes 3 secret session keys,
Message MREQ is sent to MN’s home link via the IPSec pro-                            kBU = prf(master_secret, N1|N0|0),
tected secure tunnel [2]. IPSec provides replay protection
                                                                                    kBA/R = prf(master_secret, N1|N0|1)
only when dynamic security association establishment is
used. This may not always be possible and manual keying                              kEN = prf(master_secret, N1|N0|2)
might be preferred in certain circumstances. For this reason,          where kBU is the binding key used for authenticating binding
update messages from the MN to the MAP, kBA/R is the ac-              MBU = { Src=LCoA, Des=MAP, HoA, RCoA, Seq#,
knowledgement/request key used for authenticating binding                             Life_Time, MACBU}
acknowledge/request messages from the MAP to the MN,             to the MAP, where Seq# is a sequence number used to detect
and kEN is the encryption key used for encrypting packet         replay attack, Life_Time is the lifetime of the binding and
between the MAP and the HA. Then, the MAP sends a mes-               MACBU = prf(kBU, HoA|LCoA|RCoA|Seq#|Life_Time)
sage                                                             are the MAC on the binding update parameters.
        MMK = {Src=MAP, Des=HoA, N1, Y, MAC0}                    If MBU is verified positive, the MAP may reply with a bind-
to the MN, where                                                 ing acknowledgement message
          MAC0 = prf( master_secret, N1|Y |MHK ).                     MBA = {Src=MAP, Des=LCoA, HoA, RCoA, Seq#,
Note that the destination address of MMK is the MN’s home                             Life_Time’, MACBA},
address HoA. As a result, this message is delivered to the       where Seq# is copied from the BU message; Life_Time’ is
MN’s home link and intercepted by the HA using IPv6              the granted lifetime, and
Neighbor Discovery [7].                                                MACBA = prf(kBA/R, RCoA|MAP|Seq#|Life_Time’)
                                                                 is a MAC generated using kBA to authenticate the BA mes-
Upon intercepting message MMK, the HA also generates the         sage. Then, the MAP will update the entry in security
master_secret and three session keys -- kBU, kBA/R and kEN by    association cache.
following the same formulas used by the MAP. If MAC0 is
verified to be correct with the master_secret, the HA will       When the MN moves to other access router (AR) and
send to the MAP a message                                        changes its LCoA, it needs only to resend message MBU to
         MHC ={Src=HoA, Des=MAP, CertH, SIGH }                   inform the MAP to update the entry in security association
where                                                            cache for this MN.
      SIGH = Sig(SH, HoA|MAP|N0|N1|MHK|MMK|CertH),               After the MN leaves this MAP for other MAP, the HA will
and                                                              delete the related entries in its security association cache.
         CertH = {HLSP, PH, Valid_Interval, SIGCA}               Meanwhile, the HA also sends a message
is the public-key certificate of the home link defined before.           MLV = {Src=HoA, Des=MAP, Leave, MACLV}
                                                                 to the MAP, where
After receiving message MHC, the MAP validates the home
                                                                          MACLV = prf(master_secret, HoA|Leave).
link’s public key certificate CertH, the signature SIGH , and,
importantly, checks the equality between the home link           Upon receiving the message MLV, the MAP will delete the
subnet prefix strings embedded in both CertH and HoA. If all     related entries in its security association cache and security
the validations and check are positive, the MAP will create      rule cache.
an entry of security association cache for this MN that
                                                                 It is beyond the scope of this paper on how to provide seam-
includes HoA, RCoA, LCoA,, kBU, kBA/R, kEN and
                                                                 less communication when a MN roams among APs and
Time_Stamp. At the first time, RCoA and LCoA should be
                                                                 MAPs. For related materials, please refer to [3,7,8].
null and void. Finally, the MAP sends to the HA the
following message
       MMC ={Src= MAP, Des= HoA, CertMAP, SIGMAP}                                 V. FIREWALL PROCESS
where                                                            Figure 2 shows the message exchange to activate a mobile
 SIGMAP=Sig(SMAP, MAP|HoA|N0|N1|MHK|MMK|MHC|CertMAP)             firewall.
                                                                     MN                     MAP                              HA
       CertMAP = {MAP, PMAP, Valid_Interval’, SIGCA’}
                                                                                                    MINI – initial request
is the public key certificate of the MAP as defined before.
                                                                             MMAP - MAP?
Again, this message is intercepted by the HA. Then the HA
                                                                                                     MSR – security rules
validates the MAP’s public key certificate CertMAP, the sig-
nature SIGMAP, and, importantly, checks the equality be-
                                                                                                    MLOG - MN’s Log
tween the IP address of the MAP in both CertMAP and the
source address (MAP). If all the validations and check are                                           MLOG - MN’s Log
positive, the HA sends kBU, and kBA/R to the MN through the
secure IPSec ESP protected tunnel,
     MSK = {Src=HA, Des=RCoA, HoA, Ran, kBU, kBA/R},                Fig. 2. Message exchange to activate a mobile firewall
where Ran is the random number received in MREQ.
                                                                 When a MN and its CN begin the communication, the HA
After receiving message MSK, the MN checks if Ran is the         will act as a secure proxy to negotiate the security keys for
same as the one it sent out in MREQ. If so, the MN sends the     the channel between MN and CN, which has been described
binding update message                                           in [2]. Meanwhile, the firewall for the MN is launched.
As soon as the HA intercepts the initial message MINI            security rules stored in the HA for the MN, then the HA can
    MINI = {Src=HoA, Des=CN, CoA(RCoA), Req, Ran}                send the message MSR to the MAP again so that the MAP can
from the MN, the HA will retrieve the related MAP based on       update the MN’s security rules for synchronization. All the
the MN’s HoA from its security association caches. If the        operation in the firewall process is transparent to the MN
MAP’s entry is not available in the HA’s security association    (child).
cache, then the HA will send to the MN a message
MMAP = {Src=HA, Des=CoA(RCoA), HoA, Req_MAP, Ran}
                                                                                     VI. CONCLUSION
to request the MN to resend the message MREQ in order to
inform HA which MAP the MN currently registeres in. Upon         As a conventional firewall is unsuitable for mobile net-
receiving the message, the MN will then re-initiate the          works, we introduced the concept of mobile personal fire-
negotiation process described in the above section.              wall, and described how to implement a stateful firewall in
                                                                 the mobile IP infrastructure. There are three main parts in
Otherwise, if the MAP’s entry is available, then the HA will     our scheme:
get the encryption key kEN and will retrieve the security rule
cache to get the security rule entry based on both MN’s HoA        1. Authentication and authorization: this part focuses on
and CN (or CN’s HoA). If no security rule entry is available          how to authenticate between the HA and the MAP as
for the HoA and CN, the default security rule will be used.           well as between the MN and the MAP.
Then the HA will send to the MAP a message MSR.                    2. Control and monitor: this part focuses on how the
                                                                      guardian of the MN can control and monitor the MN’s
         MSR = {Src=HoA, Des=MAP, rules*, SIGH}
where, rules* is the security rules encrypted by the encryp-
                                                                   3. Management: this part focuses on how to effectively
tion key kEN,
                                                                      manage the security stuff.
                rules*= e(kEN, security_rules),
and SIGH is the signature of the security rules signed by the    All the operations are transparent to the mobile user, and he
home link’s private key SH,                                      will be served in a way specified by his guardian no matter
                SIGH = (SH, HoA|MAP|rules*)                      where he roams. The mobile firewall could have full fea-
                                                                 tures of a conventional stateful firewall.
When the MAP receives the message MSR, the MAP retrieves
from its security association cache the related public key PH    For the reasons of privacy and law, we limit our discussions
and encryption key kEN. After validating the signature SIGH      on a scenario of teens and their parents or guardians in the
and getting the positive result, the MAP generates an entry      paper. Obviously, the idea could be employed in enterprises.
for the security rule and adds to its security rule cache.       With the mobile firewall, the administrators could monitor
                                                                 and control their mobile employee’s activities in the same
According to HMIPv6 framework, every packet from the
                                                                 way that they do on their fixed employees with conventional
CN to the MN will pass through the router MAP. The MAP
can capture all these packets, and decide how to process
these pockets according to the related security rule: forward-
ing or dropping the packets. As the security rule is config-
ured based on the source address, destination address, appli-
cation protocols and ports, our solution could implement all     [1]   Durlacher Research Ltd, “Mobile Commerce Report”,
the features of a normal firewall [4].                                 1999.
                                                                 [2]   R. H. Deng, J. Zhou, and F. Bao, “Defending Against
Moreover, the MAP could also count the connecting time                 Redirect Attacks in Mobile IP”, 9th ACM Conference
and the size of data transferred between the CN and the MN.            on Computer and Communications Security, pages 59--
If they exceed the specified value in the security rule, the           67, Washington, DC, November 2002, ACM Press.
MAP may break the communication.                                 [3]   H Soliman and K. El-Malki, “Hierarchical MIPv6
Further, the MAP may log the MN’s activities and report the            Mobility Management (HMIPv6)”, IETF INTERNET-
activity log to the home agent at specified intervals:                 DRAFT, Feb. 2004.
        MLOG = {Src=MAP, Des=HoA, i, HoA, log*}                  [4]   Linux iptable HOWTO
where, HoA is used to indicate the mobile node, i is used to     [5]   D. B. Johson and C. Perkins, “Mobility Support in
indicate the sequence number of the log, and log* is the en-           IPv6,” IETF INTERNET-DRAFT, July 2003.
crypted activity log of mobile node at the specified interval,   [6]   P. Srisuresh and K. Egevang, “Traditional IP Network
                                                                       Address Translator (Traditional NAT)”, IETF RFC
                   log*= e(kEN, activity_log),                         3022, January 2001.
where, kEN is the encryption key between the MAP and the
                                                                 [7]   T. Narten, E. Nordmark, and W. Simpson, “Neighbor
HA generated in the negotiation process.
                                                                       Discovery for IP Version 6 (IPv6)”, IETF RFC 2461,
The parents of the MN (i.e. child) can monitor the MN’s                December 1998.
activities by reviewing the MN’s logs from a remote ma-          [8]   R. Koodli, “Fast Handovers for Mobile IPv6”, IETF
chine. If necessary, the parents can remotely modify the               INTERNET-DRAFT, Feb 2004.

To top