A network-assisted mobile VPN for securing users data in UMTS

This paper proposes a network-assisted mobile Virtual Private Network (mVPN) security scheme that provides secure remote access to corporate resources over the Universal Mobile Telecommunication System (UMTS). The proposed scheme, which is based on IPsec, distributes the required security functionality for deploying a VPN between the involved user's device and the mobile network limiting the configuration, computation and communication overheads associated with the user and its device. The network-assisted mVPN addresses the security weaknesses of the UMTS technology in protecting users' data and satisfies the security requirements of the mobile users. It can be integrated into the UMTS network infrastructure requiring only some limited enhancements to the existing mobile network architecture, and without disrupting the network operation. For the initialization of a network-assisted mVPN and the related key agreement an extension of Internet Key Exchange version 2 (IKEv2) is proposed. The proposed network-assisted mVPN can operate seamlessly and provide security services continuously while the mobile user moves and roams as it binds the UMTS mobility management with the VPN deployment. The deployment cost of the proposed scheme is evaluated analytically and via simulations and is compared to that of the end-to-end (e2e) VPN scheme that protects the data exchanged between the mobile user and the remote server, and a scheme that does not include any additional security mechanism. The proposed scheme increases the cumulative VPN deployment cost compared to the e2e scheme, but on the other hand it limits considerably the VPN deployment cost of the involved MS, which is important due to it resource limitation. Moreover, it does not considerably affect the capacity of the UMTS network. Finally, the deployed network-assisted mVPN hardly has an impact on the total delay of the transmitted user's packets. (C) 2008 Elsevier B.V. All rights reserved.