ad info  technology > computing
    Editions | myCNN | Video | Audio | Headline News Brief | Feedback  




Consumer group: Online privacy protections fall short

Guide to a wired Super Bowl

Debate opens on making e-commerce law consistent



More than 11,000 killed in India quake

Mideast negotiators want to continue talks after Israeli elections


4:30pm ET, 4/16










CNN Websites
Networks image

WAP in the office

Network World Fusion

(IDG) -- Unless you've been living in a permanent dead zone, you've heard the predictions that wireless is marching into your world like the Roman army. Forecasts from research firms Jupiter Communications and IDC have been quoted so often that they've become the wireless industry's call to arms: The number of wireless Internet users will exceed PCs on the Internet, Jupiter predicts, with wireless Web users increasing from 300 million last year to one billion in 2003. IDC's drumbeat is even louder. It expects wireless surfers to overtake wired ones by 2002.

Other analysts echo these hails, prophesying an industry in unprecedented growth. The inspiration for this growth is the Wireless Application Protocol (WAP), a set of protocols built by the WAP Forum. WAP creates a network infrastructure to make Web content skinny enough to fit on tiny cell phones and PDAs.


"Last year, it was XML and [storage-area networks]. This year, the hottest buzzword is WAP," says James Kobielus, an analyst with The Burton Group and Network World's "Above the Cloud" columnist.

Some even claim the wireless Web is here now. Sprint PCS reported that it enlisted half a million WAP subscribers by the second quarter of this year., a WAP originator and maker of the Up.Browser for cell phones, attributes its take-notice growth to the rise of the wireless Web. In the second quarter of this year, subscribers to's wireless Internet service doubled from two million to more than 4.1 million. Up.Browser's shipments to device manufacturers doubled to 12 million. The most telling of all, the number of registered developers creating wireless Web sites and applications grew from 62,000 to 110,000, the company reports. was purchased by in August.

  Network World Fusion home page
  What's up with WAP? (Part 1)
  What's up with WAP? (Part 2)
  Gates doubts WAP future
  Reviews & in-depth info at
  Questions about computers? Let's editors help you
  Subscribe to's free daily newsletter for network experts
  Search in 12 languages
  News Radio
  * Fusion audio primers
  * Computerworld Minute

"Enabled devices, services and applications," the industry gloats, "we've got it all." But there's more. With a maniacal laugh, the hype machine declares: "Consumers first, then the enterprise. And you network guys can't stop it, because this adoption differs from any other in history. It will be the first technology to infiltrate the enterprise from the consumer market."

"Technology has always started as a business application and gone to consumers. I've never seen the reverse. This is unique," says Riddhi Patel, a senior analyst of enterprise wireless technologies for market research firm Aberdeen Group in Palo Alto.

That means, as the popular theory goes, employees using Web-enabled phones for personal e-mail and stock trading will clamor for wireless access to intranet applications.

But the hype machine is wrong. You won't be overrun. You'll be the wireless Web champion, recognizing when it offers competitive benefits and when it doesn't.

Almost three-quarters of Network World Fusion readers polled said they are "watching" WAP and "will take action if necessary." Another 8% of the 71 respondents said they already buy PDAs for their employees and use them like laptops. The remaining 21% believe WAP will remain a consumer technology, or their companies have policies against the use of wireless devices.

Obviously, you'll be prepared. You'll make your wireless infrastructure as secure and reliable as your wired network. You know the competitive advantage is going to be huge for the right applications. Those who have taken the plunge are proving it.

Take Memorex Telex Ireland, for example. This Dublin company has implemented one of the first mobile phone, WAP-enabled enterprise applications. Its salespeople use cell phones to access a newly created electronic customer relationship management application via cell phone provider Esat Digifone and software designed by electronic CRM vendor eWare.

Prior to the WAP application, salespeople couldn't access a central CRM system while on the road, says Rory Harte, the project's technical leader at Memorex. "We had a number of contact management systems and salespeople maintaining their own diaries on everything from Palm Pilots to paper diaries - but they had no real-time access except at their desktops. From a business perspective, the advantages were obvious," Harte says.

Most analysts project that Europe is 12 to 18 months ahead of the U.S. when it comes to adoption of wireless technologies such as WAP.

By watching WAP's development overseas, you'll know when wireless makes sense in your company. With a few specialized exceptions, you'll shrug off the frenzy urging you to adopt immediately and wait for these three critical components: end-to-end security, robust content translation tools and mature, interoperable services and devices.

Take a WAP

Only if your organization meets specific circumstances should you engage WAP now. One is if an application vendor has already WAP-enabled a product you use.

This is the case for Envision Marketing, an advertising company in Boston. Its mission-critical art design application runs on an IBM AS/400 minicomputer. The company uses ResQPortal by to give the AS/400 application a graphical user interface and make it accessible to Envision's clients via the Web, says Jeff Shaw, president of Envision.

When developed a WAP add-on to ResQPortal last spring, the vendor asked Shaw to beta-test it. Shaw's original thought was that the add-on, dubbed ResQME, would be for customers, offering them another means to access real-time information. Because he was also an owner of a Palm PDA with wireless Web and e-mail access, he found himself tapping into the application. It dawned on him to equip his employees with Palms so they could also access real-time data from anywhere.

"Palms are a great way to communicate with our people. It keeps them from carrying laptops all the time, and at the airport or a client's office, having to find a phone plug," Shaw says.

Now ad designers can e-mail account representatives wherever they are. The account reps can log on to ResQPort, get real-time data and answer the designer's questions on the spot. Projects can be completed more quickly because they don't stall while waiting for input or approvals.

"As a smaller company, systems like this let us compete through technology," Shaw says.

Another reason your company might be engaging WAP now is to serve consumers rather than employees. Certainly, online traders are there. Firms like Charles Schwab and Quick & Reilly already support WAP devices.

Consumer activity could have some far-reaching effects on a service provider's relationship to the company, says Mark Lowenstein, senior vice president of The Yankee Group, a market research firm in Boston. Lowenstein says he envisions a time when a brokerage firm could issue handsets to customers who agree to make a specified number of trades per month, and so the brokerage "becomes a reseller of wireless services."

The same scenario could be applied to extranets. Support for the devices would land in your purview.

Serving consumers could let your IT staff cut its teeth on a bit of wireless and WAP technology without any risk to your internal network. You'd simply hang your WAP content server outside the firewall. Still, that won't give you the experience you really need when it comes to wireless as an enterprise client - namely security.

The misnomer: WAP 'security'

The big reason to wait is that an unnerving security hole exists in WAP Version 1.1, the standard's current iteration. This is another point of hype over WAP. Some say the hole is a crater, while others pooh-pooh it as an eye of a needle.

The problem stems from WAP's basic design. It is a set of protocols separate from, yet connected to, the wired Web. WAP is its own IP infrastructure, meant to compensate for the restrictions of wireless: low-bandwidth pipes, unreliable connections, clients with short battery life, small screens, little-to-no processing power and no mice.

Whereas the wired world is a two-tier model for serving data to users - the Web server and the browser - WAP adds a third layer, the gateway. The gateway translates from WAP to Web protocols so WAP devices can access services on the 'Net, such as e-commerce transaction engines. Gateways may also offer other features, depending on the manufacturer. For instance, Motorola's MIX gateway integrates voice with data access.

WAP's security layer, the Wireless Transport Layer Security (WTLS) specification, is modeled on TLS, a revised form of Secure Sockets Layer (SSL). WTLS encrypts transmissions from the device to the gateway, just as TLS/SSL encrypts from the browser to the secure Web server.

Before a gateway can convert a WTLS stream to an encrypted TLS or SSL stream, it must first decrypt the WTLS packets. Therein lies the rub. For a split second, the data is in the clear in the WAP gateway's memory. Because these packets are destined for a secure server on the Web, sensitive data is affected.

How big the risk is depends on your point of view.

"To sniff data out of a WAP gateway before it goes to SSL, you'd have to have a root password to the gateway and physical access to the machine. You'd have to know a lot of architecture," says Jacob Christfort, chief technology officer and vice president of product development for, which runs a mobile portal for consumers and plans to offer itself as a gateway outsourcer to companies.

Then again, who said hackers need breaches to be slow and easy? If the stakes are high enough - passwords to your network infrastructure - the bad guys will find a way, Burton Group's Kobielus points out. "The issue is that the data only spends a millisecond in the clear. But that doesn't stop someone from planting a virus or a sniffer to look at the data quickly, scan it and store it," he warns.

Four fixes

There are four main ways to fix this hole. First, do nothing with WAP until it matures. Members of the WAP Forum are working feverishly to provide end-to-end security from device to TLS/SSL server. Scott Goldman, CEO of the WAP Forum, swears "almost military" end-to-end security will be part of WAP's next major release, reports industry watcher Joanie Wexler in her Network World newsletter "Wireless in the Enterprise."

This change will be in the release after 1.2; that release will follow a new naming convention and be called Q42000. The forum is cranking out releases at record pace, every six months, with products following a few months later. The 1.1 products trickled onto the market in the first half of the year, and 1.2 products will be making their debut before year-end.

Second, place the WAP gateway in a spot where someone can't gain physical access to memory. This is easy if you buy your own, but trust becomes an issue if you outsource. Can you be sure the service provider is aptly securing your hosted gateway?

Third, implement more security, including some at a higher level in the stack than the transport layer. An application can require passwords, for example. This was Memorex's choice, says Ivan McDonald, CEO of eWare. "EWare has its own application-level security, and Memorex uses a [VPN] implemented using the facilities of the mobile operator and our software," he explains.

Better still, disconnect the WAP application from the rest of the network. Memorex users must log on to Memorex's firewall correctly before they gain access to the CRM database, says Memorex CEO Paschal Naylor. "EWare is a thin client. It's the same whether it is being accessed via a browser or via a WAP-enabled phone. Our CRM system server is isolated from the rest of our network, thus ensuring that our security is not compromised," Naylor says.

Fourth, add WAP devices to your public-key infrastructure (PKI). In most cases, you'll have to wait until the WAP industry matures. Still, Baltimore Technologies and other PKI vendors have proposed WTLS PKI extensions such as the Wireless Identity Module (WIM).

"WIM defines where users will store their key pairs and certificates," says Guy Singh, a product manager at Baltimore. "Storage could be on the handset or a separate card that plugs into the device."

Devices have to be modified with the equivalent of PC cards, or their Subscriber Identity Modules (SIM) must be altered to support stored certificates. SIMs identify the device to the carrier. Both options are being tossed around by the device makers and developers of next-generation network protocols.

In the meantime, Baltimore is about to ship Telepathy, an add-on for its Unicert certificate management system that provides WTLS- and PKI-to-WAP gateways and devices. It can work with remote WAP gateways, which means the WAP gateway may reside at the service provider's site while the PKI proxy server stays home with you. Telepathy will compete with RSA Security's BSAFE WTLS 1.0 and Securant Technologies' ClearTrust SecureControl.

Securing transmission is only half your worry. Securing the device is the other. The hype has rung out over viruses that attack cell phones through their new scripting abilities, such as Sun's Java2 Micro Edition and WMLscript. Still, cell phones won't be much of a target because they don't store a lot of data or applications.

Access control is more pressing. By decreasing client size, you increase loss potential. Do you want your corporate jewels accessible to any hacker with brains enough to steal a cell phone? Analysts such as Kobielus think not. He thinks coming-generation devices will include more advanced security than SIMs equipped with certificates, perhaps even biometrics.

Until then, create policies that force users to account for their devices regularly - and establish procedures for deactivating devices quickly.

Jabbering Palms

The first WAP 1.1-compliant phones only began shipping in the U.S. weeks ago. So unless your idea of maturity is a green banana, we're talking about an unproven client. Mix that with the headache of generating content for phones and you might want to reach for something more ripe (see story, page 60).

Enter PDAs. Throughout the hype over cell phones vs. PDAs, you'll find this common thread of truth: PDAs offer a lot more functionality, particularly for miniaturized enterprise applications, than cell phones. The downsides are higher initial investment costs, more support headaches and, the biggie, synchronization among handhelds, desktops and databases.

Nokia is leading a development effort on SyncML, an upper-level protocol standard for synchronization. Palm supports the SyncML initiative. BlueTooth, a wireless technology that replaces cables with low-frequency radio transmissions, will play a role too, functioning as the low-level connection protocol. The vision is all very "Star Wars," with users marching through the campus zapping data to each others' Palms and to network databases.

In this galaxy, Palm has targeted companies with its HotSync product, which manages PDA user access privileges, offers backup and restore, tracks missing devices and so on.

If the versatility of voice and data is important to your users, then cell phones are for you. When it comes to these, the WAP Forum has recognized that interoperability between devices and gateways could be a problem. It hopes to nip that in the bud. Release 1.2, available now for device manufacturers to design their next generation of phones, includes interoperability testing.

That's likely to be only the tip of the support iceberg for phones, says Steven Griffith, director of mobile business for, one of four systems integrators chosen by IBM last summer to promote wireless technology in the enterprise. will build a test lab in London, where it will mix and match vendor wares.

"There are four environments where wireless will be used: the home, the office, in transit and in public spaces," Griffith says.

The lab will recreate those environments to determine how to support each. For instance, while driving, users might need a voice interface, while train commuters need better authentication - for the day they leave the device on the train seat.

Unclear costs also remain an issue. Vendors currently want to negotiate costs case by case, depending on what pieces of equipment you license, what you rent as a service, how much of the conversion to wireless you want the vendor to do, how many transactions or devices will be accessing the site and a host of other variables. At the least, you'll be paying fees for cellular access and software licensing fees for the WAP-enabled application.

You may also have rental fees for the WAP gateway if you outsource it to a wireless application service provider. That makes sense if the third party will perform other services for you, such as maintaining the WAP pages.

Or you may opt to use your carrier's gateway. In that case, the carrier may not charge directly for the gateway, expecting to recoup its investment with a higher volume of calls.

For those of you who don't want to piggyback onto someone else's gateway, the cost of buying your own will be tens of thousands to hundreds of thousands of dollars. It's even possible to spend $1 million on a gateway, if full integration with a voice system is your goal.

Despite all of these issues, no one questions that WAP is moving toward the company. It just won't cross the mainstream's threshold for about another year.

Wireless technology presents new security challenges
September 7, 2000
In-Fusio brings games to mobile phones
September 5, 2000
Wireless showdown looms in Asia
August 28, 2000
Europeans slow to embrace wireless Web
August 1, 2000
Firm hopes to streamline hand-held Web surfing
July 19, 2000

WAP phone becomes a remote
Gates doubts WAP future
(IDG New Zealand)
Chip enables wireless Net connections
WAP goes color with Hitachi handset
Down to the wireless
(The Industry Standard)
What's up with WAP? (Part 1)
(NetworkWorld Fusion)
What's up with WAP? (Part 2)
(NetworkWorld Fusion)

The WAP Trap: An ExposŽ of the Wireless Application Protocol

Note: Pages will open in a new browser window
External sites are not endorsed by CNN Interactive.


Back to the top   © 2001 Cable News Network. All Rights Reserved.
Terms under which this service is provided to you.
Read our privacy guidelines.