Secure at Last?

ABCs of wireless security

Government agencies have been slow to adopt wireless networking for fear it wasn't secure enough. The situation is changing, but it's hard to draw up a request for proposals without a clear understanding of the standards behind wireless security:

  • 8802.11i: Ratified in June by the Institute of Electrical and Electronics Engineers, 802.11i is a wireless networking standard that incorporates the federal Advanced Encryption Standard algorithm.

  • Advanced Encryption Standard: A strong encryption standard that uses 128-, 192- or 256-bit keys to protect data as it travels over a network. The National Institute of Standards and Technology adopted AES in 2001 to replace the Data Encryption Standard. AES requires significant processing power. WiFi products that don't include hardware to support AES cannot easily be upgraded to handle it and likely will have to be replaced.

  • Federal Information Processing Standard 140-2: NIST's cryptographic standard specifies data encryption for networks. Most agencies consider FIPS 140-2 compliance a requirement for wireless networking products.

  • Wired Equivalent Privacy: The earliest form of WiFi security has been roundly criticized as easy to compromise.

  • WiFi-certified: Products with certification from the Wi-Fi Alliance have been tested to comply with the group's standards and to interoperate with other WiFi-certified products.

  • WiFi Protected Access: The Wi-Fi Alliance developed WPA to supersede WEP. WPA, based on an early version of IEEE's 802.11i secure networking specification, uses an encryption scheme called Temporal Key Integrity Protocol. It is far more secure than WEP but does not meet NIST security requirements. Products that meet WPA specifications can still achieve WiFi certification. More than 600 products are WiFi-certified for WPA security.

  • WiFi Protected Access 2: Released Sept. 1, WPA2 is the functional equivalent of the 802.11i wireless networking standard. It incorporates AES encryption and complies with FIPS 140-2. Industry views WPA2 as a significant advance toward government acceptance of secure wireless networking. Products can earn the WiFi seal of approval without incorporating WPA2. Check www.wi-fi.org for a list of certified products and the level of security (WPA or WPA2) they incorporate. To date, only eight products have been certified for WPA2 compliance.

The wireless train 'has left the station' and can't be turned back now, DHS' c says.

David S. Spence

New standards help secure wireless LANs

Robert West, the Homeland Security Department's chief information security officer, made the rounds at an after-hours social event during a conference last summer. He met a federal air marshal eager to show him what was running on his wireless personal digital assistant.

'This is how they send me orders; this is how they tell me what airplane to get on,' the marshal told West, illustrating how wireless communication lets air marshals respond quickly to changing plans and last-minute threats.

West was impressed but had a simple reply: 'That's great, but our wireless policy right now is no wireless' because of security risks.

Then the marshal told West what had happened a couple of weeks earlier. A colleague was on his way to a flight when he got an Amber Alert on his personal digital assistant. The marshal downloaded a picture of the missing child to the PDA, caught the abductor and returned the child home.

'Now, if you're me, puffing your chest and saying wireless is not an option, what do you say to that?' West asked a crowd of government and industry executives at a wireless security conference held last month by GCN and the Wi-Fi Alliance.

'It was one of those watershed events for me in my short tenure within the department,' West said.

DHS has since changed its policy to permit certified and accredited wireless networks. It also formed a wireless security working group to assess risk and identify secure methods of deploying wireless networks.

Although DHS has been criticized for not adequately implementing security'most recently in a July report by its own inspector general'there's no turning back now, West said.

'The wireless train has left the station,' he said. 'There's a point at which you just have to step up and say there's new technology, it does help, and for all the lack of security we have to do the right things.'

A new wireless security standard published last month by the Wi-Fi Alliance might help ease agencies' security concerns and spur adoption of wireless networks in government. Dubbed WiFi Protected Access 2, the standard incorporates encryption approved by the National Institute of Standards and Technology to protect data that is transmitted wirelessly.

Ronald Jost, wireless director at the Defense Department, told the conference that the department would be asking for WPA2-certified solutions when it procured wireless networks.

That, according to the alliance's managing director Frank Hanzlik, was a ringing endorsement.

'If it makes sense for DOD, it should make sense for other government agencies,' he said. 'Now that we have something that's government-grade, the reception has been positive.'

A standard grows up

The Wi-Fi Alliance is a nonprofit industry group established to standardize wireless technologies around the Institute of Electrical and Electronics Engineers' 802.11 specification.

Members include heavyweights such as Cisco Systems Inc., IBM Corp. and Intel Corp. The alliance tests and certifies products to ensure compatibility.

Until now, certification was important to commercial users but meant little to government agencies, which take their standards cue from NIST.

'NIST is in the driver's seat for standards in the federal government, and rightly so,' West said.
NIST's Federal Information Processing Standard 140-2 describes how data must be encrypted to stay secure on a wireless network.

Until WPA2, no WiFi standard met FIPS 140-2 requirements. That didn't stop more than 600 products from earning WiFi certification based on the earlier WPA security standard and an encryption scheme called Temporal Key Integrity Protocol.

Most of the products worked well, but they couldn't earn NIST's blessing. Some agencies that wanted wireless networks compliant with FIPS 140-2 ended up installing special security appliances behind their wireless access points, such as the AirFortress line of gateways from Fortress Technologies Inc. of Oldsmar, Fla.

More bits

WPA2 incorporates the Advanced Encryption Standard, which uses stronger, 128-bit encryption keys. The wireless industry has also begun adopting a method of employing AES called counter mode.

NIST is still in the process of approving other components of 802.11i, the IEEE security standard that is the basis of WPA2. Brian Grimm, a Wi-Fi Alliance spokesman, said NIST has one piece to go before it signs off on the entire standard.

To date, only eight products have earned WPA2 certification, although Hanzlik said there should be a steady flow of them in coming months.

The alliance has boosted the number of laboratories that can perform testing.

Ann Sun, Cisco senior manager for wireless and mobility marketing, said all the company's wireless infrastructure products would incorporate WPA2-certified technology by the end of the year.

Experts say WPA2 certification wouldn't necessarily speed up the process of achieving FIPS compliance.

WPA2-certified products could take eight months to make their way through FIPS approval, said Eric Hall, systems architect for wireless service development at EDS Corp.

Agencies should be using that time to plan wireless network deployments so they're ready to move when the FIPS-certified products become available, Hall said.

And Hanzlik said he encourages agencies to specify WPA2-certified products in future requests for proposals.

'A quarter of products fail WiFi testing the first time through,' Hanzlik said. 'The risks are high when an agency doesn't look for certified solutions.'

Reader Comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above