Alternative Schemes for Dynamic Secure VPN Deployment in UMTS

Three alternative schemes for secure Virtual Private Network (VPN) deployment over the Universal Mobile Telecommunication System (UMTS) are proposed and analyzed. The proposed schemes enable a mobile node to voluntarily establish an IPsec-based secure channel to a private network. The alternative schemes differ in the location where the IPsec functionality is placed within the UMTS network architecture (mobile node, access network, and UMTS network border), depending on the employed security model, and whether data in transit are ever in clear-text, or available to be tapped by outsiders. The provided levels of privacy in the deployed VPN schemes, as well as the employed authentication models are examined. An analysis in terms of cost, complexity, and performance overhead that each method imposes to the underlying network architecture, as well as to the mobile devices is presented. The level of system reliability and scalability in granting security services is presented. The VPN management, usability, and trusted relations, as well as their behavior when a mobile user moves are analyzed. The use of special applications that require access to encapsulated data traffic is explored. Finally, an overall comparison of the proposed schemes from the security and operation point of view summarizes their relative performance.