Wireless security: 'We have to do the right things'
With its security improving, wireless is set for deployment<@VM>Intel to perform its own Wi-Fi testing<@VM>ABCs of secure Wi-Fi<@VM>Wireless networking opportunities
- By Brad Grimes
- Sep 24, 2004
"The wireless train has left the station." | Robert West, chief information security officer of the Homeland Security Department
David S. Spence
During a Baltimore conference last summer of 1,000 Homeland Security Department workers, Robert West, the agency's chief information security officer, made the rounds at an after-hours social event. There he met a federal air marshal eager to show him what was running on his wireless personal digital assistant.
"This is how they send me orders; this is how they tell me what airplane to get on," the marshal told West, illustrating how wireless communications let air marshals respond quickly to changing plans and last minute threats.
West was impressed but had a simple reply: "That's great, but our wireless policy right now is no wireless." Wireless posed too many security risks.
Then the marshal told West what had happened a couple of weeks earlier. A colleague was on his way to a flight when he got an Amber Alert on his wireless PDA. Using the PDA, the marshal was able to download a picture of the missing child, catch the abductor and return the child home.
"Now, if you're me, puffing your chest and saying wireless is not an option, what do you say to that?" West said, recounting the incident for a crowd of government officials and industry executives at a wireless security conference held earlier this month by Government Computer News and the Wi-Fi Alliance. Government Computer News and Washington Technology are publications of PostNewsweek Tech Media.
"It was one of those watershed events for me in my short tenure within the department," West said.
The Homeland Security Department has since changed its policy to permit certified and accredited wireless networks. The department has formed a wireless-security working group to perform risk assessments and identify secure methods of deploying wireless networks.
And although DHS has been criticized for not adequately implementing security practices -- most recently in a July report by its own inspector general -- there's no turning back now, West said.
"The wireless train has left the station," he said. "There's a point at which you just have to step up and say there's new technology, it does help, and for all the lack of security, we have to do the right things."
LATEST AND GREATEST
A new wireless security standard published earlier this month by the Wi-Fi Alliance will help ease agencies' security concerns and spur adoption of wireless networks in government, according to experts. Dubbed Wi-Fi Protected Access 2 (WPA2), the standard incorporates encryption approved by the National Institute of Standards and Technology to protect data that is transmitted wirelessly.
Ronald Jost, director of wireless at the Defense Department, told conference attendees that the department would be asking for WPA2 certified solutions when it procured wireless networks. That, according to the Wi-Fi Alliance's managing director Frank Hanzlik, is a ringing endorsement.
"If it makes sense for DOD, it should make sense for other government agencies," he said. "There's been overwhelming support for WPA2. Now that we have something that's government grade, the reception has been positive."
[IMGCAP(2)]The Wi-Fi Alliance is a nonprofit industry group established to standardize wireless networking technologies around the Institute of Electrical and Electronic Engineers' 802.11 specification. The alliance, which includes heavyweights such as AT&T Corp., Cisco Systems Inc., IBM Corp., Intel Corp. and Motorola Inc., tests and certifies products to ensure they meet its standards and are compatible with other Wi-Fi solutions.
Until now, Wi-Fi certification was important to commercial users, but meant little to government agencies, which take their cues on wireless implementation requirements from NIST.
"NIST is in the driver's seat for standards in the federal government, and rightly so," West said.
At the core of NIST's information security program are the Federal Information Processing Standards, most importantly FIPS 140-2, which describes how data must be encrypted to remain secure in a wireless network.
Until WPA2, no Wi-Fi standard met FIPS 140-2 requirements. That didn't stop more that 600 products from earning Wi-Fi certification based on the earlier WPA security standard and an encryption scheme called Temporal Key Integrity Protocol (TKIP).
Most of those products worked well, but they couldn't earn NIST's blessing. Some agencies that wanted to build wireless networks and comply with FIPS 140-2 ended up installing special FIPS-compliant security appliances behind their wireless access points, such as the AirFortress line of gateways from Fortress Technologies Inc. of Oldsmar, Fla.
Today's WPA2 incorporates the Advanced Encryption Standard (AES), which uses stronger, 128-bit keys to encrypt data and became a NIST standard in November 2001. The wireless industry has also begun adopting a method of employing AES called counter mode and CBC-MAC (CCM), which meets NIST's approval.
"Only now are we able to take a WPA product through FIPS because of the way AES is being used," said David Cohen, senior product marketing manager of Broadcom Corp. and chairman of the Wi-Fi Alliance Security Task Group.
EIGHT MONTHS TO PREPARE
To date, only eight products have earned WPA2 certification, although Hanzlik said there should be a steady flow of WPA2-certified solutions in the coming months. The alliance has beefed up the number of labs that can perform Wi-Fi testing, which normally takes only a few days.
[IMGCAP(3)]Ann Sun, senior manager for wireless and mobility marketing at Cisco, said all the company's wireless infrastructure products would incorporate WPA2-certified technology by the end of the year.
Experts said WPA2 certification wouldn't necessarily speed up the process of achieving FIPS compliance, not that there's any need to rush things.
WPA-2 certified products could take eight months to make their way through the FIPS approval process, said Eric Hall, systems architect for wireless service development at EDS Corp.
Agencies should be using that time to plan wireless network deployments so they're ready to move when the FIPS-certified products become available, he said.
"The lag in government adoption was due largely to a lack of encryption that met FIPS 140-2 standards," Hall said. "It's been going on under the covers, but agencies can really start working on it now."
Hall said integrators should not expect to see a lot of new wireless networking contracts to bid on. The work will likely be performed under other networking or IT infrastructure vehicles. "Many of the relevant contracts are already in house," he said.
But Hanzlik said he encourages agencies to specify WPA2-certified products in future requests for proposal.
"A quarter of products fail Wi-Fi testing the first time through," Hanzlik said. "The risks are high when an agency doesn't look for certified solutions."
Staff Writer Brad Grimes can be reached at firstname.lastname@example.org.
In a laboratory in Chantilly, Va., Intel Corp. engineers are doing their own interoperability testing of wireless networking products to help integrators and agencies with Wi-Fi adoption.
The Santa Clara, Calif., company's Secure WLAN Infrastructure for Government initiative is in direct response to requests from the government IT market, Intel officials told Washington Technology.
"We're not doing this for any reason other than it's required by our customers. They're asking for it," said Kevin Quinn of Intel's federal sector marketing group. That's why the company has accelerated its testing, he said.
The problem Intel is trying to address is agencies' confusion as to what products are required to deploy a wireless infrastructure that meets government security standards, Quinn said. Intel wants to establish a framework that will help agencies do everything from securing portable devices to scanning for rogue access points.
Intel will categorize wireless products and map them against government-specific security issues to come up with multivendor solutions that meet FIPS 140-2 and agency-specific security requirements. Intel will validate its solutions with government agencies and publish its findings on a Web site that integrators and agencies can access.
Intel's testing will be separate from the Wi-Fi Alliance's certification and compatibility testing, although Intel is an alliance member.
Frank Hanzlik, managing director of the Wi-Fi Alliance, only heard of the Intel initiative when the company presented it at this month's Government Computer News
Wireless Security Conference. Hanzlik was concerned that the more groups doing compatibility testing, the more agencies could get confused.
Government agencies have been loath to adopt wireless networking technology for fear it wasn't secure enough to protect data traffic. Today, the situation is changing, but it can be hard to know what to offer government users without a clear understanding of the standards behind wireless security. Here's a primer:802.11i
: Ratified in June by the Institute of Electrical and Electronic Engineers, 802.11i is a wireless networking standard that incorporates the Advanced Encryption Standard, a method for securing data that was adopted by the federal government in 2001.Advanced Encryption Standard (AES):
A strong encryption standard that uses 128-bit, 192-bit or 256-bit keys to protect data as it travels over a network. It was approved by the National Institute of Standards and Technology in November 2001 to replace the Data Encryption Standard (DES). AES requires significant processing power. Wi-Fi products that don't include hardware to support AES cannot easily be upgraded to support the new encryption standard and likely will have to be replaced.Federal Information Processing Standards (FIPS):
Standards published by NIST for dealing with computer security. FIPS 140-2 describes how data should be encrypted as it travels over a network. Most agencies consider FIPS 140-2 compliance a requirement for wireless networking. AES adheres to FIPS.Wired Equivalent Privacy (WEP):
The earliest form of Wi-Fi security. It was roundly criticized for being easy to compromise and offering very little security.Wi-Fi certified:
Products that pass certification of the Wi-Fi Alliance have been tested to comply with the group's standards and to interoperate with other Wi-Fi-certified products.Wi-Fi Protected Access (WPA):
The Wi-Fi Alliance developed WPA to supersede WEP. It is based on an early version of the IEEE's 802.11i secure networking specification. It uses an encryption scheme called Temporal Key Integrity Protocol (TKIP), which is far more secure than WEP but does not meet the security requirements of NIST. Products that meet WPA specifications can still achieve Wi-Fi certification. More than 600 products are Wi-Fi-certified for WPA security.Wi-Fi Protected Access 2 (WPA2):
Released Sept. 1, WPA2 is the functional equivalent of the 802.11i wireless networking standard. It incorporates AES encryption and complies with FIPS 140-2 requirements. Agencies and industry view WPA2 as a significant advance toward acceptance of secure wireless networking in government. Note that products can earn the Wi-Fi seal of approval without incorporating WPA2. Check the Wi-Fi Alliance Web site (www.wi-fi.org) for a list of certified products and the level of security (WPA or WPA2) they incorporate. To date, only eight products have been certified for WPA2 compliance.House Mobile Computing ProgramHouse of RepresentativesValue:
Not available RFI date:
AugustEstimated award date:
The House is planning to build a secure, 802.11 wireless network. The contracting office is looking for Wi-Fi-certified products that support the most current security standards.Information Technology Enterprise Solutions IIArmyValue:
Not available Estimated RFP date:
DecemberEstimated award date:
This broad IT procurement vehicle will be a follow-on to the ITES contract. In addition to servers, workstations, storage systems and more, contractors will be required to provide networking equipment, including wireless solutions.Nomadic System Management, Support and ServiceAgriculture DepartmentValue:
$250,000 RFP date:
August Estimated award date:
The Agriculture Department's Natural Resources Conservation Service requires mobile computing devices, network support and services to provide agency personnel with wireless connectivity to the department backbone. The solution needs to support secure 802.11 communications.Systems Integration and Integrated Logistic SupportCoast GuardValue:
Not availableExpected RFP date:
October Estimated award date:
In July 2003, the Coast Guard issued an RFI for technologies to enable voice and data communications on cutters. The contracting officer specified 802.11 wireless connectivity as a possible solution. So far, the procurement is on hold.Wireless Communication DevicesHomeland Security DepartmentValue:
Not available RFI date: July Estimated award date:
The Immigration and Customs Enforcement agency requires wireless communication devices. The agency would like to see proposals that include integrated 802.11 wireless networking capabilities, but it absolutely requires support for FIPS 140-2 encryption.