As the Defense Department prepares a new wireless policy, agencies will be watching to see if standards collide
'For folks like us with a large enterprise deployment, we will have to change the architecture that we've spent the last three years building.'
'Derek Krein, Joint Experimentation Directorate
The Defense Department is planning to sharpen its wireless networking policy by requiring the use of interoperable products built to industry standards. Seems straightforward enough. But the question is: Do industry standards jibe with government standards? Defense IT shops and civilian agencies working up their own wireless policies want to know.
The current DOD policy, spelled out last year in Directive 8100.2, requires that wireless devices use cryptographic modules validated to Federal Information Processing Standard 140-2. That requirement will not change in Directive 8100.3, said Cmdr. Stan Burlingame, a program analyst working on the DOD commercial wireless policy.
'The purpose is not to supersede the existing policy, but to add more detail,' Burlingame said. 'It now [also] says you will operate your wireless LAN based on the 802.11i standard.' And that's where the potential rub comes in.
802.11i is the robust security standard for wireless networks from the Institute of Electrical and Electronics Engineers. Experts are concerned that 802.11i and FIPS-140-2 might not be compatible. That could be significant, considering that the impact of the DOD policy, expected to be finalized this month, may be felt beyond the Pentagon.
'This could very well flow into what the rest of the federal government adopts,' Burlingame said. For example, he said he has spoken with representatives from the Agriculture Department, which also plans to mandate 802.11i for wireless.Pros and cons
The new policy is drawing a mix of criticism and praise from industry and DOD users.
'There are pros and cons,' to using 802.11i, said Derek Krein, a wireless-security engineer with the Joint Forces Command's Joint Experimentation Directorate in Suffolk, Va. 'The pro is, it's a standard. It sounds great on paper, but when it comes down to the technology, it's not there yet. I'd rather have something that's been in the field a few years before we hang our hats on it.'
Moreover, mixing the two standards, FIPS-140-2 and 802.11i, could result in a wireless system that is neither interoperable nor secure, said Mike Coop, vice president of consulting engineering for Cranite Systems Inc. of Los Gatos, Calif. Cranite is one of several companies, including Fortress Technologies Inc. of Oldsmar, Fla., and 3e Technologies International Inc. of Rockville, Md., that now provide wireless networking products meeting current DOD requirements for FIPS-140-2 encryption at the data link layer.
'Is it possible to put them together and make them work according to FIPS mandates?' Coop said. 'Absolutely. Is there a mechanism to validate that? None whatsoever. And that's one of our big issues with the policy.'
Cranite focuses primarily on the government market, but it might find itself out of step with DOD policy. 'We are not committing to supporting 802.11i at this point,' Coop said.
Still, other vendors see the new policy as an entrance into the DOD market. Funk Software Inc. of Cambridge, Mass., in October announced a wireless client based on the 802.11i standard with a FIPS-140-2-certified cryptographic module. The wireless client must work with an access point and an authentication server to provide secure wireless connectivity. Funk worked with Aruba Networks of Sunnyvale, Calif., and Cisco Systems Inc. of San Jose, Calif., to ensure that its Odyssey Client FIPS Edition would be interoperable with those companies' FIPS-certified access points. Funk expects to announce FIPS compliance for its Steel-Belted Radius authentication server later this year.
'We have seen over the last year a movement in the federal market to standardized deployments for wireless LANs,' said Funk federal account manager Steve Taylor. 'DOD and civilian agencies are looking more and more to 802.11i.'
Taylor said the shift not only will open the federal market for Funk's wireless products, but will also expand the availability of standards-based products and competition among their vendors.
'Ultimately, it will mean that the federal market for wireless is larger,' he said.
But a broader choice of products isn't necessarily the answer to agencies' needs.
'They are each pretty good solutions on their own,' Burlingame said. 'The only problem is that not one of them is interoperable with the other. Our goal, besides security, has always been interoperability.'Mixed reviews
In April, DOD hosted a Wireless Industry Working Group Day to brief several dozen companies on its plans for updating the wireless policy.
'That brief dialogue already has gotten the industry to start making products' that comply, Burlingame said.
Reactions to the proposed policy were not entirely positive, however.
'There were about 100 of us there, and it got fairly heated about what people believe in, from a technology viewpoint,' Coop said.
The problem, as Coop and others see it, is that under the FIPS validation scheme, conducted by the National Institute of Standards and Technology, the cryptographic module being evaluated is treated as an independent device. But under 802.11i, the client, access point and authentication server work together to generate and manage the cryptographic keys. The security of the process depends in part on the level of randomness, or entropy, of the encryption keys.
When various interoperable FIPS-validated WiFi components are mixed and matched, 'you can fail to generate sufficient entropy to meet FIPS requirements,' Coop said.
Dennis Volpano, associate professor of computer science at the Naval Postgraduate School, has recommended that FIPS requirements be changed to recognize a 'logical cryptographic module' that includes multiple components, and that requirements for 802.11i compliance be dropped from the proposed DOD policy.
DOD has been working on the new policy for about a year, and the public comment period on the current draft closed on Sept. 30.
'My hope is that we can get this policy out by Thanksgiving,' Burlingame said.
The finalization of IEEE's 802.11i in September 2004 'was the trigger point for having the technology become eligible for FIPS-140-2 certification,' said Frank Hanzlik, managing director of the WiFi Alliance, which certifies products for compliance with the IEEE 802.11 family of standards.
Hanzlik was not aware of concerns about applying FIPS to 802.11i but said, 'My initial thought is that it should not be an issue. At the level of certification that we address, there is absolute interoperability there.'More changes brewing
Regardless of the policies finally incorporated in 8100.3, additional changes for DOD wireless networks are likely. NIST is working on a new version of the FIPS standard for cryptographic modules to replace the current one.
FIPS-140-1 was adopted in 1994, and the standard is reviewed every five years. It was updated to 140-2 in 2001, and NIST and the Canadian Communications Security Establishment now are putting the finishing touches on 140-3. The first draft is tentatively scheduled to be released for public comment this month. If the Commerce secretary approves it by May 2006, it would go into effect next November, and 140-2 would be retired six months after that. Although products now certified under the previous standards still could be used in government IT systems, new or updated products would have to be recertified.
'Vendors who've taken 802.11i through the FIPS-140-2 process will now be faced with trying to get their products through the 140-3 process,' Coop said. 'My educated guess is that if it's even possible to have an .11i product meet 140-3 requirements, each product will look even more proprietary and unique than do current products.'
Even without a new FIPS standard to contend with, 8100.3 will mean extra work for those in DOD who already have implemented WLANs, such as the Joint Experimentation Directorate.
'For folks like us with a large enterprise deployment, we will have to change the architecture that we've spent the last three years building,' Krein said. 'For us, that is a huge downside.'
Krein attended the vendor conference in April, where he heard the complaints about the conjunction of 140-2 and 802.11i and the answers to them. The concerns are valid, but not fatal, he said.
'Is it a killer? Probably not. Is anyone completely satisfied with the answers? No.'
Ultimately, 'good things will come of it,' he said of 8100.3. 'Overall, it's a pretty good policy.'