Navy wants encryption, better monitoring on wireless LANs
New policy focuses on unclassified networks
- By Patience Wait
- Jan 05, 2007
The Navy, addressing concerns over the security of wireless networks and communications devices, has issued a servicewide policy setting standards for the use of commercial wireless hardware and services.
The policy, issued Nov. 30 by acting CIO John Lussier, applies to all unclassified commercial WLAN devices, services and technologies.
'Although sometimes mischaracterized as lacking security, wireless networks can in fact provide as much or as little security as the user wants,' said Andrew Kreig, president of the Wireless Communications Association International, a trade association in Washington.
'The instruction on improved network security for wireless local area networks is a logical next step for the military's increasing use of advanced mobile networks facilitated by commercial providers,' Kreig added. 'This instruction underscores the military's commitment to the benefits of advanced networks, and also to taking necessary security precautions in a uniform manner across many applications, continents and, of course, high seas.'
A spokesperson for EDS Corp., the company that holds the multi-billion-dollar Navy-Marine Corps Intranet contract to provide IT systems and services to hundreds of thousands of seats, said the new policy has no effect on the program.
'We already met these standards,' said Barbara Mendoza, in EDS' NMCI office.
At a practical level, the policy specifies that wireless components of networks generally are to be secured at Open System Interconnection Layer 2'the data link layer'as defined by the International Standards Organization. By requiring Layer 2 encryption, the Navy is ensuring data is encrypted while on the move.
Wireless client devices are to be maintained under the same configuration controls specified for wired LANs for information assurance and security.
The policy also requires that all WLAN traffic be protected, at a minimum, by devices certified to meet Federal Information Processing Standard 140-2, providing authentication and encryption at the data link layer.
To meet the push across the Defense Department to implement public-key infrastructure, the policy requires that WLAN solutions must meet departmental PKI requirements. The policy leaves the door open for new wireless PKI technologies.
And in keeping with the requirements of existing DOD policies 8500.1 and 8500.2 governing information assurance, 'new or existing WLAN devices, services and technologies that are integrated or connected to [Navy] networks constitute a change to the network,' and have to be certified and accredited.
The Navy's policy follows in the footsteps of the DOD-wide wireless guidance issued in June, which had tightened security requirements for WLANs connecting to the Global Information Grid.
While many systems and devices do not connect to the GIG, the new Navy policy makes a point of noting that using Layer 2 encryption 'does not preclude the additional use of Layer 3 encryption [to provide] long-haul protection for connections to remote networks and services,' in keeping with the DOD guidelines. Other elements of the DOD policy go further than the Navy guidance because they are concerned specifically with protecting the GIG.