With wireless, it's good to learn from others
Agency initiatives offer valuable lessons about technology and security
- By Brad Grimes
- Jul 20, 2005
You could find worse places in the world to start a wireless technology proving ground than Hawaii's beautiful Big Island. It wasn't even the intention of the Army's Installation Information Infrastructure Modernization program to test virtually every wireless system available when it came time to upgrade the networks at Hawaii's Pohakuloa Training Area, nestled between the Mauna Kea and Mauna Loa volcanoes. But that's what the Army did.
In fact, said Lt. Col. John Leaphart, program manager for Defense Communications System-Pacific, wireless wasn't even in the cards when the program office began its Fort Hawaii project. All Leaphart wanted to do was upgrade the networks of several bases on the island from Asynchronous Transfer Mode to Gigabit Ethernet over fiber-optic cabling. Pohakuloa, however, presented a unique problem'it's built on a huge volcano bed.
Laying cable for the island's other bases ran about $80 a foot, Leaphart said. The estimate for digging through the hard lava bed at Pohakuloa and then laying cable came to about $150 a foot. Leaphart, who is based at Fort Monmouth, N.J., decided to try and make Pohakuloa a completely wireless campus.
'In addition to cutting costs, being wireless provides added benefits,' Leaphart said. 'Being digital will allow for accurate and timely viewing, recording and feedback of individual combat training ... and simulation war gaming.'
In its quest to make Pohakuloa completely wireless'backbone and all'the Army asked its Fort Hawaii integrators to pull out every wireless technology at their disposal: 802.11a/b/g, WiMax, free-space optics, millimeter-wave radio, microwave radio, Third-Generation cellular and voice over WLAN. And for two months this year, Hawaii became the Army's wireless proving ground.
In the end, the Pohakuloa pilot was as notable for what didn't work as for what did, and the lessons learned made the Defense Communications Systems-Pacific office one of 10 government agencies recognized with a Promising Practices award at the GCN Wireless and Mobility Conference held last month in Washington.
Successful government wireless projects run the gamut, from simply deploying BlackBerry handhelds throughout the Postal Service to building a multitiered wireless security architecture for the Joint Futures Laboratory. GCN editors judged more than 50 submissions to the wireless Promising Practices program, looking for projects that other agencies might emulate'or at the very least learn from.
At the Pohakuloa Training Area in Hawaii, the Army gained first-hand knowledge of several wireless technologies, and although each has its merits, only a handful made it into the request for proposals to make Pohakuloa a wireless campus. In the end, despite the challenges, Leaphart said Phakuloa would require fiber-optic cabling to connect its major nodes. The base was able to achieve gigabit speeds over free-space optics and millimeter-wave connections, but the encryptors needed to protect those communications to Defense Department standards are not yet widely available, Leaphart said.
'For now, encryption is a big cost driver. Gigabit encryptors are just coming around now,' he said.
It's the same gating factor that ultimately prevented Pohakuloa from using VOIP over WLAN. Leaphart said the technology itself works well, both over WiFi and WiMax connections, 'but with our encryption requirements, we couldn't get the quality of service we needed.'Calling all senators
Voice service was also the major driver behind a promising practice at the U.S. Senate. In March, several Senate buildings flipped the switch on an in-building wireless network that combines cellular communications and WiFi networking. After Sept. 11, 2001, it became clear that wireless coverage throughout the Senate's stately stone buildings was spotty at best. Lack of reliable communications was a severe hindrance to any continuity-of-operations plan. In addition, like so many other government agencies, the Senate could help members and staff be more productive if it could provide wireless access to its networks.
Perhaps the biggest challenge, said Senate CIO Greg Hanson, was the fact that senators and their staffs could never'and probably shouldn't'adopt a single cellular carrier.
'How do you satisfy everyone by making [the network] carrier agnostic?' Hanson said. Senate staffs tend to have their favorite cellular services because coverage varies from state to state. So Hanson and the IT staff in the Senate Sergeant at Arms Office turned to an in-building network that could support virtually any wireless carrier.
From a central hub, MobileAccess Inc. of Vienna, Va., ran fiber-optic cabling to existing distribution centers throughout the Senate's infrastructure and from there to wiring closets within the building. At the central hub, cellular carriers were given secure areas to house their proprietary equipment.
From the wiring closets, cables run to smoke detector-sized antennae in hallways and other strategic areas to provide optimal coverage. Each antenna supports cellular, 802.11b/g and BlackBerry communications. The Senate owns the infrastructure and sells licenses to individual carriers. As new carriers come aboard, they simply add their equipment to the central hub.
Hanson said the lease-back deal pays for itself and has already saved $3.6 million.
It almost goes without saying that the Senate and virtually every other agency deploying wireless networks has information security on its mind. The Senate's WiFi network, for instance, employs hard tokens, virtual private networking and other security measures.
At the Joint Futures Lab in Suffolk, Va., security engineers have developed what they call Defense-in-Depth to protect its rapidly growing wireless infrastructure. The lab, part of the Joint Forces Command, now has almost 80 access points supporting more than 400 users. Not only does the WLAN boost productivity, but it saved the lab 50 percent of the cost of wiring a brand-new facility, said Derek Krein, the lab's wireless engineer.
However, when the Joint Futures Lab began experimenting with wireless networks in August 2002, it discovered that the gateway it employed for VPN tunneling left something to be desired.
'When we started sniffing traffic, what we noticed with IPSec was that there were a lot of IP addresses, NetBIOS traffic, computer names, user names, domain names, just a whole lot of broadcast traffic,' Krein said. 'While IPSec tunnels your data, it doesn't tunnel anything that's broadcast.'
Today, the lab's defense-in-depth strategy breaks down into five layers. First, the wireless network is kept completely separate from the wired network using separate switches. Users can only access the wired network by navigating other layers of the security infrastructure.
Second, the lab uses layer 2 encryption gateways from AirDefense Inc. of Alpharetta, Ga., to protect data links and mitigate the risks of broadcast information. Beyond that, Krein's team has deployed wireless gateways from Bluesocket Inc. of Burlington, Mass., to handle authentication, and intrusion detection systems from AirDefense to monitor airwaves and alert administrators to attacks, rogue APs and other vulnerabilities.
Finally, the lab is testing wireless management software from AirWave Wireless Inc. of San Mateo, Calif., to further enhance security by automating configuration management and other tasks. 'It also lets us do network separation, policy control and monitoring,' Krein said.
Other agencies could learn from the lab. Krein said he's given briefings to several, including the Justice Department, National Security Agency and several Defense agencies.
'And we spent more money on our wired infrastructure than we have for all of our wireless infrastructure,' Krein said. That's a lesson learned any agency could appreciate.