Wireless security is critical
- By William Jackson
- Apr 01, 2003
'We knew it wasn't the best-thought out approach, but under the circumstances we had to do something,' GAO's Anthony Cicco says.
Henrik G. DeGyor
Security is universally acknowledged as a top priority for government systems, and wireless security puts that challenge in perhaps its most acute context.
You could say there are two basic ways to secure a system: from the outside in and from the inside out. Anthony Cicco, CIO of the General Accounting Office, knows both ways, and it's not hard to guess which one he prefers.
'Wireless was thrust upon us in November 2001 when the House of Representatives was infected with anthrax,' CIO Cicco said.
When several House buildings were closed as a result of the anthrax mail attacks, about 2,000 representatives and staff members moved to temporary quarters in GAO's 1950s-era building in Washington. 'It was a tight fit, but we could accommodate them,' Cicco said.
Some GAO personnel telecommuted to free office space, others doubled up in offices. The problem was network connections for the extra people. Rather than pull wire, which could take months, the agency bought 75 wireless access points and wireless PC Cards from SMC Networks Inc. of Irvine, Calif.On in 48 hours
Within 48 hours the wireless LAN was up and running, with the new tenants connecting from Compaq Computer Corp. notebook PCs. Security for the network was incomplete, however. It depended largely on the IEEE 802.11 standard's imperfect Wired Equivalent Privacy protocol, coupled with a virtual LAN on the wired network's Cisco Systems Inc. routers and switches. Some intrusion detection products also were used.
'We knew it wasn't the best-thought-out approach, but under the circumstances we had to do something,' Cicco said.
The temporary WLAN was turned off when the House returned to regular quarters, but GAO is preparing to deploy a new wireless net that it hopes will be a model for the rest of government.
'Everybody needs to assess their own level of risk,' Cicco said. For GAO's new deployment, the security is going in before the network is turned on. Cicco sees that as his primary responsibility: 'I don't think that as a CIO I can spend enough time on security issues.'
Cicco decided the new wireless network would not go live until it was ready, and that meant secure. 'We're setting up a test floor right now with a security architecture on it,' he said.
As a first step, GAO removed existing wireless access points from its public areas. Only GAO employees will be able to sign on.
The network will use WG-2000 wireless gateways from Bluesocket Inc. of Burlington, Mass. The gateways support both the 11-Mbps 802.11b standard and the newer, 54-Mbps 802.11a standard.
'We're on 'b' now,' Cicco said. 'We're looking at 'a.' ' Although 802.11a is faster, it has a shorter effective range than b, which could require more access points.
The first line of defense is access control. Only Media Access Control numbers from the wireless network cards bought by GAO will be allowed on the network. 'It's an overhead,' Cicco said, because MAC address lists will have to be maintained for the access points. 'But it's worth it.'
He said he is thinking of using the same restrictions for notebooks plugging into GAO's wired LAN. Users of the wireless network also will log on with tokens that generate one-time passwords. 'The token was a big part of it,' Cicco said.Encrypt all traffic
The wireless network will be segregated on a virtual LAN, and all traffic encrypted via the IP Security protocol. 'Until we get the wireless performance up, the encryption isn't as hard as it could be,' Cicco said. The second phase of the network will use the Triple Data Encryption Standard.
Cicco also wants to discourage drive-by hackers and freeloaders.
'Even with that level of security, we still want to go to the perimeter of the building to check for emissions,' he said. Unauthorized users would not be able to log on from the street, 'but I don't think it's a good business practice to have the emissions going out.'
William Jackson is a Maryland-based freelance writer.