Secure at Last?
- By Brad Grimes
- Oct 20, 2004
The wireless train 'has left the station' and can't be turned back now, DHS' c says.
David S. Spence
Robert West, the Homeland Security Department's chief information security officer, made the rounds at an after-hours social event during a conference last summer. He met a federal air marshal eager to show him what was running on his wireless personal digital assistant.
'This is how they send me orders; this is how they tell me what airplane to get on,' the marshal told West, illustrating how wireless communication lets air marshals respond quickly to changing plans and last-minute threats.
West was impressed but had a simple reply: 'That's great, but our wireless policy right now is no wireless' because of security risks.
Then the marshal told West what had happened a couple of weeks earlier. A colleague was on his way to a flight when he got an Amber Alert on his personal digital assistant. The marshal downloaded a picture of the missing child to the PDA, caught the abductor and returned the child home.
'Now, if you're me, puffing your chest and saying wireless is not an option, what do you say to that?' West asked a crowd of government and industry executives at a wireless security conference held last month by GCN and the Wi-Fi Alliance.
'It was one of those watershed events for me in my short tenure within the department,' West said.
DHS has since changed its policy to permit certified and accredited wireless networks. It also formed a wireless security working group to assess risk and identify secure methods of deploying wireless networks.
Although DHS has been criticized for not adequately implementing security'most recently in a July report by its own inspector general'there's no turning back now, West said.
'The wireless train has left the station,' he said. 'There's a point at which you just have to step up and say there's new technology, it does help, and for all the lack of security we have to do the right things.'
A new wireless security standard published last month by the Wi-Fi Alliance might help ease agencies' security concerns and spur adoption of wireless networks in government. Dubbed WiFi Protected Access 2, the standard incorporates encryption approved by the National Institute of Standards and Technology to protect data that is transmitted wirelessly.
Ronald Jost, wireless director at the Defense Department, told the conference that the department would be asking for WPA2-certified solutions when it procured wireless networks.
That, according to the alliance's managing director Frank Hanzlik, was a ringing endorsement.
'If it makes sense for DOD, it should make sense for other government agencies,' he said. 'Now that we have something that's government-grade, the reception has been positive.'
A standard grows upThe Wi-Fi Alliance is a nonprofit industry group established to standardize wireless technologies around the Institute of Electrical and Electronics Engineers' 802.11 specification.
Members include heavyweights such as Cisco Systems Inc., IBM Corp. and Intel Corp. The alliance tests and certifies products to ensure compatibility.
Until now, certification was important to commercial users but meant little to government agencies, which take their standards cue from NIST.
'NIST is in the driver's seat for standards in the federal government, and rightly so,' West said.
NIST's Federal Information Processing Standard 140-2 describes how data must be encrypted to stay secure on a wireless network.
Until WPA2, no WiFi standard met FIPS 140-2 requirements. That didn't stop more than 600 products from earning WiFi certification based on the earlier WPA security standard and an encryption scheme called Temporal Key Integrity Protocol.
Most of the products worked well, but they couldn't earn NIST's blessing. Some agencies that wanted wireless networks compliant with FIPS 140-2 ended up installing special security appliances behind their wireless access points, such as the AirFortress line of gateways from Fortress Technologies Inc. of Oldsmar, Fla.
More bitsWPA2 incorporates the Advanced Encryption Standard, which uses stronger, 128-bit encryption keys. The wireless industry has also begun adopting a method of employing AES called counter mode.
NIST is still in the process of approving other components of 802.11i, the IEEE security standard that is the basis of WPA2. Brian Grimm, a Wi-Fi Alliance spokesman, said NIST has one piece to go before it signs off on the entire standard.
To date, only eight products have earned WPA2 certification, although Hanzlik said there should be a steady flow of them in coming months.
The alliance has boosted the number of laboratories that can perform testing.
Ann Sun, Cisco senior manager for wireless and mobility marketing, said all the company's wireless infrastructure products would incorporate WPA2-certified technology by the end of the year.
Experts say WPA2 certification wouldn't necessarily speed up the process of achieving FIPS compliance.
WPA2-certified products could take eight months to make their way through FIPS approval, said Eric Hall, systems architect for wireless service development at EDS Corp.
Agencies should be using that time to plan wireless network deployments so they're ready to move when the FIPS-certified products become available, Hall said.
And Hanzlik said he encourages agencies to specify WPA2-certified products in future requests for proposals.
'A quarter of products fail WiFi testing the first time through,' Hanzlik said. 'The risks are high when an agency doesn't look for certified solutions.'