Wireless security is critical

Net gains on wireless security

  • GAO will control access by allowing only Media Access Control numbers from its own wireless network cards.

  • Notebook users will log on using tokens that generate one-time passwords.

  • The wireless network will be segregated on a virtual LAN, with IPSec encryption. Triple Data Encryption will be added to the project's second phase.

  • GAO will check the building's perimeter for emissions.

  • The network won't be turned on until it has been tested and deemed secure.

'We knew it wasn't the best-thought out approach, but under the circumstances we had to do something,' GAO's Anthony Cicco says.

Henrik G. DeGyor

Security is universally acknowledged as a top priority for government systems, and wireless security puts that challenge in perhaps its most acute context.

You could say there are two basic ways to secure a system: from the outside in and from the inside out. Anthony Cicco, CIO of the General Accounting Office, knows both ways, and it's not hard to guess which one he prefers.

'Wireless was thrust upon us in November 2001 when the House of Representatives was infected with anthrax,' CIO Cicco said.

When several House buildings were closed as a result of the anthrax mail attacks, about 2,000 representatives and staff members moved to temporary quarters in GAO's 1950s-era building in Washington. 'It was a tight fit, but we could accommodate them,' Cicco said.

Some GAO personnel telecommuted to free office space, others doubled up in offices. The problem was network connections for the extra people. Rather than pull wire, which could take months, the agency bought 75 wireless access points and wireless PC Cards from SMC Networks Inc. of Irvine, Calif.

On in 48 hours

Within 48 hours the wireless LAN was up and running, with the new tenants connecting from Compaq Computer Corp. notebook PCs. Security for the network was incomplete, however. It depended largely on the IEEE 802.11 standard's imperfect Wired Equivalent Privacy protocol, coupled with a virtual LAN on the wired network's Cisco Systems Inc. routers and switches. Some intrusion detection products also were used.

'We knew it wasn't the best-thought-out approach, but under the circumstances we had to do something,' Cicco said.

The temporary WLAN was turned off when the House returned to regular quarters, but GAO is preparing to deploy a new wireless net that it hopes will be a model for the rest of government.

'Everybody needs to assess their own level of risk,' Cicco said. For GAO's new deployment, the security is going in before the network is turned on. Cicco sees that as his primary responsibility: 'I don't think that as a CIO I can spend enough time on security issues.'

Cicco decided the new wireless network would not go live until it was ready, and that meant secure. 'We're setting up a test floor right now with a security architecture on it,' he said.

As a first step, GAO removed existing wireless access points from its public areas. Only GAO employees will be able to sign on.

The network will use WG-2000 wireless gateways from Bluesocket Inc. of Burlington, Mass. The gateways support both the 11-Mbps 802.11b standard and the newer, 54-Mbps 802.11a standard.

'We're on 'b' now,' Cicco said. 'We're looking at 'a.' ' Although 802.11a is faster, it has a shorter effective range than b, which could require more access points.

The first line of defense is access control. Only Media Access Control numbers from the wireless network cards bought by GAO will be allowed on the network. 'It's an overhead,' Cicco said, because MAC address lists will have to be maintained for the access points. 'But it's worth it.'

He said he is thinking of using the same restrictions for notebooks plugging into GAO's wired LAN. Users of the wireless network also will log on with tokens that generate one-time passwords. 'The token was a big part of it,' Cicco said.

Encrypt all traffic

The wireless network will be segregated on a virtual LAN, and all traffic encrypted via the IP Security protocol. 'Until we get the wireless performance up, the encryption isn't as hard as it could be,' Cicco said. The second phase of the network will use the Triple Data Encryption Standard.

Cicco also wants to discourage drive-by hackers and freeloaders.

'Even with that level of security, we still want to go to the perimeter of the building to check for emissions,' he said. Unauthorized users would not be able to log on from the street, 'but I don't think it's a good business practice to have the emissions going out.'

About the Author

William Jackson is a Maryland-based freelance writer.

inside gcn

  • IoT security

    A 'seal of approval' for IoT security?

Reader Comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above

More from 1105 Public Sector Media Group