No stopping wireless

Integrators to plan for secure access as demand grows

RFP Checklist: Wireless networks

Securing wireless networks means answering critical questions. Imagine your customer's wired network infrastructure. Now imagine it again without wires. A wireless LAN comprises many parts, but when they work together, they create a communications infrastructure as secure as a conventional wired LAN. Building a secure, wireless network requires attention to detail. Here's a partial list of questions to answer when agencies come looking for a secure wired LAN.

» What wireless protocols does the solution support? 802.11a/b/g? Bluetooth? WiMax?

» What encryption standards does it use? Does the device comply with Federal Information Processing Standard 140-2?

» Will the agency's equipment support the encryption standard, or will it need upgrading? Will client devices need upgrading?

» How does the system support different types of traffic that require higher or lower levels of security?

» Are different categories of users routed over separate physical LANs or virtual LANs?

» Can visitors get temporary Internet access? What about contractors?

» Does the system restrict access depending on physical location? For example, users in a lobby or conference room might get access to the Internet but not to the enterprise network.

» Does the wireless authentication system use the same user identification and password data as the rest of the network, or do two systems need to be maintained?

» What type of intrusion detection and prevention does the vendor propose? Are these separate sensors, or do the access points do a double duty? How many sensors will there be? Are they active or passive?

» Are the Media Access Control addresses of wireless cards registered with the wireless LAN or do users only need an ID and password?

» Must users re-authenticate when moving between different segments of the wireless LAN?

» Does any software need to be loaded on the client devices?

» How is security enforced on the end points? Will personal firewalls and anti-virus clients be centrally managed? How do the security measures affect network performance? Do you need Secure Sockets Layer off-loaders or encryption accelerators?

» Will access be granted to devices that are out-of-date or misconfigured? Can they be quarantined while remotely updated or reconfigured?

» Will the wireless equipment and software work with the network and applications?

» How is the wireless LAN managed? Can you monitor traffic loads and performance on individual segments?

» Can you remotely manage access points to turn them on or off or change the configuration?

» Will all the pieces work together? Does the system need some extra piece to work?

Like other types of IT, wireless networks offer a mix of benefits and security threats. The potential threats are enough to make security officers and their contractors cringe. But the user benefits ? those are enough to make users lay out their own cash to set up access.

Like it or not, integrators must be prepared to install and secure a wireless LAN for their customers, or people will start looking to deploy one of their own.

"You are battling the fact that people can purchase and deploy a wireless network easily," said Stan Gatewood, information security officer for the University of Georgia at Athens. "They can go downtown and buy an access point for under $50."

Then there is the matter of securing mobile devices that access a wireless LAN. Don Rhodes, a civilian IT specialist at Fort Dix, N.J., said that soldiers coming to the base for training before deploying to the Middle East expect to use their PCs for both work and e-mailing home. The choices come down either to strictly policing users' computer habits or, as Rhodes is doing, making the wireless LAN itself secure.

"Even if you tell them not to, users are going to use their personal PCs to conduct government business," Rhodes said. "We would rather have a network that has some security on it than a wide-open system like we had before."

Earlier this year, the Agriculture and Defense departments released directives on securing wireless LANs. Both documents have a good overview of the steps an integrator should take in proposing and deploying a secure wireless network.

Common components

Securing a wired or wireless network involves a mix of hardware, software, policies and training. In setting up a system, however, an agency needs to consider the end-to-end network and ensure that all pieces work together.

For example, if different parts of the wireless LAN are operating on disparate encryption schemes, the network will default to the lowest standard.

If you're using an older security standard such as Wireless Protected Access or multimode security, "you are only as secure as your weakest link," said Peter Firstbrook, research director in information security and privacy for Gartner Inc. of Stamford, Conn.

Similarly, unless an agency offers client hardware to all potential users, the wireless LAN must accommodate a wide variety of connecting devices without compromising security.

"Many solutions are vendor-specific to the client device and, therefore are not protecting everything over a wide range of clients," said Sonny Gutierrez, LAN/WAN security specialist for CDW Government in Herndon, Va.

The wireless policies from the Agriculture and Defense departments take an end-to-end view of wireless networks. While the directives differ in specifics, they also address certain common areas that are applicable to securing any wireless network. These include:

» Standards

» Encryption

» Authentication

» Interoperability

» Client security

» Wireless intrusion detection

» Configuration management.

"The largest threat is misconfiguration, or taking an access point out of the box and leaving the default settings in place," said Alex Zaltsman, managing partner of Exigent Technologies LLC of Morristown, N.J. "Default administrator passwords can be obtained easily by downloading a user manual, and access points come with encryption disabled."

The client devices also must be configured to access only the official network, not some other signal that might bleed over into the office from a neighbor.

"You don't want people jumping from wireless LAN to wireless LAN. You want them to be stuck to the wireless LAN you want them to use," Gartner's Firstbrook said. "Unfortunately, most of the wireless LAN drivers are very promiscuous. Microsoft will join any wireless LAN that is available."

Security principles

Although there are general guidelines to setting up a secure wireless LAN, each system must be designed to meet the business and security needs of the particular organization.

Just as in the wired world, networks vary in their degree of openness, flexibility and secrecy. When it's time for an agency to build out its wireless LAN, consider the following examples to see which most closely match the agency's requirements.

Wireless LAN 1

Maximum security. The Joint Forces Command's Joint Futures Lab in Suffolk, Va., set up a wireless LAN for mobile workers and guests in the three buildings on its campus. Users can access voice, video, data, Web sites and e-mail.

The network has 130 access points and a 2-gigabit backbone supporting 802.11 a/b/g devices, and uses 802.16d wireless metropolitan area network between buildings. The network uses a five-layer, defense-in-depth architecture and an array of security technologies, including Air Fortress encryption gateways from Fortress Technologies Inc.; Bluesocket Inc. wireless gateways and firewalls; AirDefense Inc. wireless IDS; virtual private networking over IPSec from Cisco Systems Inc.; and a wireless management platform from Airwave Wireless Inc.
Planned enhancements include full disk encryption, a Layer 2 VPN, policy enforcement agents and end-point management.

One of the biggest challenges, said Jared Judy, wireless network engineer, is "getting vendors to play together for integration purposes, so administrators don't have to bounce between three, four or five different console screens to be able to monitor and manage the system."

Wireless LAN 2

Public access network. Burbank, Calif., last year set up a metropolitan wireless network covering its downtown. The square-mile hot spot uses ruggedized 802.11b/g access points from M-Gravity LLC of Torrance, Calif., which connect to a Proxim Inc. MP.11a system.

A Bluesocket WG1100 wireless gateway controls bandwidth, session time limits and authentication. Internal security is tighter than with wireless LAN 1.

"Burbank uses wireless capabilities to extend the reach of the LAN to buildings not connected via fiber optics," said Perry Jarvis, the city's chief information security officer. "We run many mission-critical applications over our citywide wireless bridge network and offer free WiFi in many locations."

To protect the network, the city has multiple firewalls and intrusion detection and prevention appliances at key points.

"The city uses many common security practices, such as Media Access Control filtering, encryption, hidden service set identifiers and strong passwords to secure our wireless network," Jarvis said.

Wireless LAN 3

For work and play. Don Rhodes is setting up a dual-purpose wireless network at Fort Dix. Troops training there will be able to use personal PCs for public Internet access, and base staff will be able to use it for official business.

"We are approaching the project from a security perspective as well as a business perspective, and I believe we have balanced both," Rhodes said.

The system is undergoing evaluation, testing and certification, so no official business is being conducted over it.

In the meantime, however, there are hundreds of morale, welfare and recreation users.

Both categories of users share the same access points, which cover dormitory day rooms and outside spaces and provide network access to devices in buildings not connected to the fiber network. The wireless traffic goes through an Aruba 5000 controller, where it's then routed to separate virtual LANs.

"If you don't have Federal Information Processing Standard encryption, the Common Access Card and proper authentication, it won't let you onto the government network, it will send you to the Internet," Rhodes said.

Although it has not been approved yet, Rhodes said it should meet the base's security needs. "The Aruba controller gives us confidence that the traffic coming across our wired network is secure," he said.

However a customer chooses to approach a wireless LAN, deploying the network involves balancing usability with the need to enforce security standards. It requires a complete analysis of the business needs and budget, as well as the technology to be used. With some homework and adherence to government policy, it's possible to create a wireless network that is as secure as a wired LAN.

Drew Robb is a freelance technology writer in Los Angeles.

Reader Comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above.

What is your e-mail address?

My e-mail address is:

Do you have a password?

Forgot your password? Click here

Washington Technology Daily

Sign up for our newsletter.

Terms and Privacy Policy consent

I agree to this site's Privacy Policy.


contracts DB