TechSuccess: Intermec builds a wireless Fortress
- By Brad Grimes
- Mar 18, 2004
"The mobile device is the true edge of the network, so it needs something to lock it down," said John Dow, Fortress Technologies' director of business development.
Fortress Technologies Inc.
New solution secures supply-chain networks without VPN
As Defense Department agencies move to streamline supply-chain operations using wireless networks, they struggle to keep secure the growing number of 802.11b-based wireless networks.
The 802.11b standard, the most cost-efficient and widely adopted wireless networking standard available, has become increasingly easy to deploy yet remains fundamentally insecure. That last fact led the Defense Department to issue a policy requiring that wireless networks had to meet stringent Federal Information Processing Standards for data encryption, the highest standard being FIPS 140-2.
Two years ago, the Defense Medical Logistics Standard Support program began replacing old 900-MHz radio devices with 802.11b handhelds and wireless access points from Intermec Technologies Corp. of Everett, Wash. The DMLSS program integrates medical supply chains for the Army, Navy and Air Force using wireless networks deployed in 198 hospitals worldwide to help expedite logistics tracking and inventory control.
According to George Moss, Intermec's director of government sales, DMLSS spends up to $4 million a year on its wireless networks. He said old devices had simply outlived their usefulness, and new, 802.11b-based, handheld devices gave the DMLSS opportunities to enhance its supply-chain applications.
"Security was not a big deal in the original 900-MHz system. I would challenge anyone to find their way in," Moss said. "It wasn't an issue, because there were no IP addresses. It was a very proprietary protocol. But 802.11b changed that."
The question was how would Intermec secure the 198 wireless networks that support the DMLSS program and bring them into compliance with FIPS standards?
Last August, the company began integrating security products from Fortress Technologies Inc., an Oldsmar, Fla.-based vendor that has deployed wireless security solutions for other Defense Department agencies, including the Defense Commissary Agency and the Defense Logistics Agency.
"Fortress was one of the first security vendors to get end-to-end FIPS certification," Moss said.
Traditionally, when organizations want to secure 802.11b-based wireless networks, the only solution available to them is virtual private networking. But VPNs can be cumbersome to deploy and difficult to manage. And when, like DMLSS, the organization uses handheld devices to connect to the wireless network, VPN technology can be especially difficult to use.
"We don't see as much use of VPN when the customer is using handheld devices, because of the management of the client software," said John Dow, Fortress Technologies' director of business development. "There's significant overhead associated with VPN clients."
VPNs do little more than initiate a wireless session and establish a secure tunnel to the wired network. As a general rule, they don't protect IP addresses and other network information, which leaves them vulnerable to denial-of-service attacks.
Dow said in government deployments, wireless security must extend all the way to the client by ensuring that the device is a trusted part of the network. Fortress does this through a system of access IDs, device keys and passwords that authenticate clients and users while hiding network information. Fortress also encrypts all communications from end to end.
"The mobile device is the true edge of the network, so it needs something to lock it down," Dow said. "The client software doesn't allow that device to communicate with anyone but a trusted member of the network."
"We had the Fortress technology tested by the NSA, and they validated that they could not break the algorithms," said Garry Duvall, deployment manager for DMLSS. "Now we can encrypt the data from the handheld, through the LAN and to the server."
The Fortress solution includes three main parts: a thin (100K) client program, a gateway connected to one or more access points and an access control server application that runs on the enterprise network.
Moss said the AirFortress Security Gateway is quick to deploy. The integrator connects the access points to the gateway, which acts as a secure bridge to the wired network. Minimal configuration is required. Intermec installs the AirFortress Secure Client software on its Microsoft Pocket PC-based handhelds, making the application transparent to users. The client software also supports wireless notebooks or network clients running Windows, DOS or other operating systems.
The number of gateways a network needs depends on the number of access points, but because of the low-bandwidth nature of supply-chain management applications, DMLSS can run their wireless networks, which typically comprise up to 15 access points, on five or fewer AirFortress gateways.
"We have the AirFortress going into 50 facilities today," Duvall said. "It will be in all our facilities in the next 18 months."
If you have an innovative solution that you recently installed in a government agency, contact Staff Writer Brad Grimes at firstname.lastname@example.org.