Wireless 2006: Gaining momentum
- By David Essex
- Jul 27, 2005
Eight developments will shape how agencies balance the need for security against the push for mobility
Frank Hanzlik, managing director of the WiFi Alliance, said WPA2-certified wireless products are plentiful, but that the industry group's standards aren't necessarily up to DOD standards.
With the arrival last year of acceptable industry standards for security, government agencies are getting serious about implementing wireless networks. Reassured that wireless access points and client devices such as PC cards and phones are equipped with sophisticated encryption, they are turning their attention to other emerging technologies that promise to make wireless fast, safe, powerful and convenient.
The crucial enabler has been 802.11i, an extension of the wireless local-area network standard of the Institute of Electrical and Electronics Engineers. 802.11i largely meets the Federal Information Processing Standard 140-2 requirements for securing sensitive-but-unclassified communications with the Advanced Encryption Standard.
But 802.11i is only part of the security story, and GCN expects the remainder of this year and 2006 to be a time of increased focus on ongoing efforts to test and certify basic standards compliance while tightening federal guidelines for wireless security. Meanwhile, the means of extending networks and making them more hospitable to an increasingly mobile workforce'technologies such as mesh networking and WiMax'should begin to come into their own.
GCN identified eight wireless trends that we believe will be critical to broader adoption of wireless in government, then consulted leading vendors, market-research firms and standards organizations for their views. The following can serve as a rough guide to the technology minefields and opportunities that likely await anyone ready to take wireless beyond the novelty stage.1. Secure WiFi products become plentiful
By adding AES encryption, 802.11i made WiFi security good enough for government work. It's the minimum for the new generation of WLAN hardware, but truly airtight security requires user-authentication mechanisms and product certification.
Vendors have been aggressively upgrading their lines for 802.11i since its release last September. 'From the product perspective, I think we've seen tremendous support,' says Frank Hanzlik, managing director of the WiFi Alliance, an industry group that tests for compliance with 802.11i, or Wireless Protected Access 2 (WPA2), to use the alliance's brand name for the standard. This past spring, the group claimed more than 800 products were WPA2 certified.2. New NIST and Defense wireless guidance expected
The influential agencies are updating their wireless security guidance to reflect 802.11i. The National Institute of Standards and Technology, which among its many functions sets computer security standards and guidelines for the federal government, weighed in on 802.11 and Bluetooth wireless network security when its issued Special Publication 800-48 three years ago. Now it is working on a revision that will influence both agency IT investment and wireless products for years to come.
Between SP 800-48 and the upcoming new wireless standards, there is NIST SP 800-53, Recommended Security Controls for Federal Information Systems, which says certified 802.11i products provide sufficient security because the standard conforms to FIPS-140-2 and its requirement of the 128-bit Advanced Encryption Standard. It also contains best-practice recommendations in areas such as risk assessment, access control and authentication.
But isn't this just guidance and not a mandate? Not any more. NIST says the guidelines will form the basis for a new FIPS. 'If we issue a FIPS, that is required,' said Sheila Frankel, a computer scientist at NIST. 'In the old days, agencies could get waivers,' she said, referring to a policy change in the Federal Information Security Management Act of 2002.
Frankel said the wireless update would be posted for public comment by late September and should become final by year's end.
Meanwhile, in July the Defense Information Systems Agency released a draft addendum to the Wireless Security Framework it prepared for the Defense Department. It requires FIPS-140-2, WPA2 certification and other security measures such as wireless intrusion detection systems. Last month Ronald Jost, DOD's director of wireless, said requiring WIDS would be a 'big change,' especially for a user population as large as DOD's.3. Security testing raises IT comfort level
Government and industry test labs ensure that products live up to their security claims and interoperate via WiFi standards. WiFi hardware vendors are lining up at DISA's Joint Interoperability Test Command lab at Fort Huachuca, Ariz., for tests to certify adherence to DOD's ultrastrict security rules.
The WiFi Alliance runs several certification labs of its own. 'In the spring of next year, we're actually going to mandate that all the products that come through our labs have to be certified for WPA2,' Hanzlik says, but he is quick to point out that WiFi Alliance certification is geared to consumers and doesn't pretend to meet DOD standards.
One critical link that remains a hodgepodge of de facto vendor standards is authentication, the process by which a wireless system confirms user identities. Methods from Microsoft Corp. and Cisco Systems Inc. are two of the most popular types of the Extensible Authentication Protocol. Despite the seeming chaos, wireless experts say the approach is workable as long as IT managers commit to a single EAP type. This past April, the WiFi Alliance said it would expand its certification testing to five EAP types. 'Right now, the market hasn't decided that there's one way to do this,' Hanzlik says.
One of the four new EAP types is EAP-SIM, for the subscriber identity modules inside cell phones. It could help spur the adoption of so-called smart cell phones, which face thorny user-authentication problems as they cross network boundaries.4. WiMax enters production
Arguably the most important wireless technology now emerging is WiMax, the catchy brand name for an IEEE standard called 802.16 for networks that can cover 30 miles with a single station and run at near-WiFi speeds approaching 70Mbps. The broadband standard could come into its own in 2006, making wireless infrastructure more affordable in campus and urban settings, while allowing urban hot spots to proliferate.
The WiMax Forum industry group opened its certification program this past spring and says products should arrive by the end of 2005. Proponents say the first generation of products will be outdoor, satellite dish-style devices mounted on towers, with modem-sized indoor boxes expected in 2006, followed by chip sets that fit inside laptops and other mobile devices. There are actually three extensions of the standard that correspond to the three hardware types, starting with 802.16a, 802.16-2004 and 802.16e, the latter expected to be ratified this year.
Not surprisingly, governments are interested. 'Clearly, in a tactical environment, they're looking at it,' said John Dow, vice president of business development at Fortress Technologies, a vendor of FIPS-compliant wireless hardware. Dow said military bases are strong candidates for WiMax. The attraction, as with many wireless deployments, is avoiding the hassle of stringing wired LANs. '[WiMax] really is something you can deploy in a day,' he said.
There's a downside: WiMax sacrifices speed for distance and is more expensive than WiFi. 'WiFi terminals are about $10,' said Mark Whitton, general manager for WiMax and wireless mesh networking at Nortel Networks. 'WiMax terminals will be in the $300 range, and WiFi's always going to be faster,' making it more suitable for large databases and videos, he said. WiMax access points run in the tens of thousands, many times more than WiFi's, Whitton said, but eventually, WiMax's broader coverage will make its cost comparable.5. Roaming makes wireless seamless
New technologies and standards will let you use your notebook or cell phone in disparate networks, without losing the connection.
Much current and future technical work is focused on enabling roaming between disparate networks and on session persistence, which ensures that applications and their data stay alive during the handoff. 'It's about allowing the apps to become reliable in intermittent coverage, extended coverage areas, and more and more, suspend-and-resume situations,' said John Knopf, senior product manager at NetMotion Wireless, which makes client/server software designed to do exactly that.
Knopf claimed other vendors focus too much on the low-level mechanics of network roaming without taking care of top-level application issues. Current industry standards also do an incomplete job, he said, citing as an example the roaming features added in the major new revision of the Internet Protocol, IPv6, saying they can't reliably avoid data loss; and regardless, companies aren't in any rush to scrap the current IPv4 protocol.
Starting this November, IEEE will begin working on a roaming standard, called 802.11r, but it isn't expected to be completed until March 2007 and will only address session persistence within 802.11 (WiFi) networks. An 802.11u group is addressing handoff issues between WiFi and cellular networks.
Meanwhile, industry observers expect to see more hybrid cellular/WiFi handsets from Motorola, Nokia, Samsung and others. 'A lot of these guys have said they'll be able to do seamless handoffs,' said Tole Hart, principal analyst at the Gartner research firm.6. Voice over WiFi works out the kinks
Quality-of-service features in the new 802.11e/WiFi MultiMedia (WMM) standard'plus seamless roaming, session persistence and NIST security'should fi- nally make enterprise-class voice feasible.
The 802.11e standard is expected to be ratified this summer, but to legitimize products that jumped the gun, the WiFi Alliance last fall introduced testing for WMM, its name for the then-settled parts of 802.11e that could easily be carried forward to the final version.
The standard makes WiFi networks more suitable for video and voice, which become nearly unusable when broken up by delays in data transmission. 'It sets up a kind of prioritization scheme,' said David Cohen, senior product manager at Broadcom Corp., a maker of semiconductor chips for VoWiFi (also called VoWLAN). 'For example, your voice packets might go through before your e-mail.'7. Up next: 802.11n speed boost
Quadruple the throughput of standard 802.11g networks (about 200Mbps) is the promise of the coming IEEE 802.11n WiFi standard expected in late 2006, but beware of proprietary 'pre-N' products sporting some of its technical features.
Multiple antennas and receivers coordinated by a technology called Multiple Input Multiple Output are the preferred route to 802.11n, which gets its speed boost by adding data streams. 'Throughput goes up linearly with the number of channels,' said Stuart Kerry, chair of the 802.11 working group.
Bruce Kraemer, who chairs the 802.11n task group, said the standard is slated for final revision in December 2006. 'There's a pretty high degree of commonality. The proposals that are all on the table propose to use some kind of MIMO technique.'
The WiFi Alliance expects to set up certification testing in the following quarter but says it won't certify pre-N products in the meantime, fearing they could break the interoperability guarantee of the WiFi standard. 'All the interoperability benefits of WiFi are gone if you implement a pre-802.11n device,' said Broadcom's Cohen, who also chairs the WiFi Alliance's security committee. 'It's a very bad idea for a large government agency or enterprise to do this.'
Others, including Van Nice, are skeptical that there's much demand for a speed boost for access points, which he said are rarely overloaded by current traffic loads. And non-conformity to a standard doesn't mean prestandard products don't work'they just don't work across vendors. 'There are a number of pre-N products out now, and they work quite well,' said Craig Mathias, principal of Farpoint Group, a research firm, citing products from Belkin and Linksys.8. Mesh networking everywhere
Agencies are already extending their WLANs with access points that link to each other wirelessly, rather than through the wired network.
So far, mesh networks have proven to be of greatest interest to local governments who either use them to offer public WiFi 'hot spots' in urban areas or who want to provide more widespread wireless access for their employees. Dow of Fortress Technologies, which has partnerships with several mesh networking vendors, points to an additional driver of local government demand for the technology. 'There have been a lot of municipalities on older, licensed data networks,' he said. 'We see a pretty strong trend in trying to get rid of these networks or supplement them ... with WiFi hot spots.'
Federal agencies are more likely to be focused on their own offices. 'In general, they're going to be able to cover their whole campus with wired nodes,' Van Nice said. Nortel Networks, for example, claims installations at NASA, the University of Arkansas and Taipei, Taiwan, which use a mesh network to provide public access. Motorola Inc., which got the technology by acquiring MeshNetworks Inc., and Cisco are other major players with significant government business.
Several observers agreed that while mesh networks and WiMax have similar goals and could compete for deployments, they would also complement each other. WiMax access points can interact with each other in a mesh configuration, just as WiFi devices do. 'It goes back to the old adage about mobility,' said Bob Dunn, director of Nortel PEC solutions. 'They just want to access the Internet and e-mail at any time.'David Essex is a freelance technology writer based in Antrim, N.H.