Policy: Be careful out there

NIST's recommendations

  • Understand the network topology

  • Maintain accurate inventories of wireless and handheld devices

  • Back up data frequently

  • Perform regular security audits

  • Keep security patches up-to-date

  • Cover IEEE 802.11 wireless access in agency security policies
  • The Naval War College uses the latest 'awesome' techniques to secure a wireless LAN for the school's students.

    'College SYSADMIN Paul Bertel

    Courtesy of the Naval War College

    The National Institute of Standards and Technology last November pronounced wireless networks 'the logical equivalent of an Ethernet port in the parking lot.' It warned agencies that wireless security takes far more effort than for a wired network.

    'You can secure wireless, but it's expensive and takes a lot of energy,' said Timothy Grance, a NIST systems and network security manager. 'You have to think about what you're hooking into.'
    But he acknowledged that 'wireless is unstoppable. This is a huge and powerful change.'

    In Special Publication 800-48 on wireless security, which you can download by going to www.gcn.com and entering 166 in the GCN.com/search box, NIST offers agencies guidance on ways to secure their wireless services.

    But the federal government has only one absolute policy about wireless security: If you use cryptography, it must be certified under Federal Information Processing Standard 140-2. And native IEEE 802.11b security, called Wired Equivalent Privacy, does not meet the standard.

    Though weak, WEP is better than nothing, Grance said. WiFi Protected Access, a WEP enhancement with better cryptographic key exchange, is not yet in wide use. And only the newest products are taking advantage of the Temporal Key Integrity Protocol, WEP's successor.

    Virtual private networking, popular for boosting security, requires careful management. 'A VPN is a tunnel, and a tunnel is a hole,' Grance said. 'It's complicated in a large enterprise. It's painful with different kinds of VPN clients.'

    Securing wireless transactions is easier in relatively small, controlled environments. The Naval War College in Newport, R.I., earlier this year installed a wireless network for 400 students in an older building that had no electrical outlets in work cubicles.

    'We can't run network cabling,' systems administrator Paul Bertel said. 'We have a room of computers here, a room of computers there, and at crunch time [students] are fighting over computers.'

    The school already had a small pool of notebooks for two-week loans to students. So it bought 100 wireless network interface cards and installed 13 802.11b Orinoco access points from Proxim Corp. of Sunnyvale, Calif.

    Each notebook received a VPN client and antivirus software before it was allowed on the network.
    'We followed Defense Department standards for security' along with best commercial practices, Bertel said.

    The network uses VPN 3000 Series concentrators from Cisco Systems Inc. of San Jose, Calif. Authentication is handled by Steel-Belted Radius remote authentication dial-in user service software from Funk Software Inc. of Cambridge, Mass.

    The RADIUS server software authenticates users by their 12-digit media access control addresses and their digital certificates, which each student must obtain from the college and install on the notebook.

    'We shut down most of the ports' on the concentrators, Bertel said. Students 'can only get through approved ports, including Port 80 for Web access. We do not broadcast the network name' to prevent unauthorized access by outsiders.

    The resulting wireless security is 'awesome,' Bertel said. 'The only issue we see has been in video.' With 802.11b, 'it's kind of crappy. That's the only drawback.'

    Grance said the college stands at the most secure end of the wireless security continuum: 'Some networks will be locked down pretty good, some won't.'

    Reader Comments

    Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

    Please type the letters/numbers you see above