Slashdot Mirror
U.S. Government Certified Wireless Security Products?
superid asks: "Our facility is just beginning to install small wireless 802.11b networks to support our office developers and staff. I think most people end up happy with wireless and enjoy the freedom. Our little branch office has about 100 people and our whole facility has close to 3000 people, so it's reasonable to expect our wireless needs to grow. However, I have just received an email, sent to all network administrators of our facility, directing us to shut down all wireless devices until they are certified by our Information Security department. Of course I'm not surprised by this. I'm aware of the problems with WEP and tools like airsnort. I know there are numerous security products and projects, but can any of them trace a lineage back to FIPS? Wouldn't it be a major victory to see an OSS product listed as validated by NIST?"
"Here are the certification requirements:
Encryption must be implemented end-to-end over an assured channel and shall meet the FIPS 140-1 or 140-2, Overall Level 2 (Triple-DES or AES) standard, at a minimum.I know there are uncertified software solutions, but for ease of integration, our office has chosen AirFortress for a hardware solution. This will run us about $2,500 for our small office and is quite reasonable. However, it would be nice if there was an Open Source solution as well. The difference is that any OSS solution must be 'certified'."
this make sound kind of stupid, but how do you *know* that a government certification actually makes something secure?
No really, here it is. It's cool! Up to 7 feet away from the base station and it's still working great. I'm going to try to double that with the next version. I'm reading up on those antenna things. I get the impression that would help a lot. Man, technology sure is great.
Why do we jump to have the government certify our electronic devices, standards, and protocols? Why can't we merely rely on the private sector to develop sound products? Why don't we fight for LESS government and LESS government intervention? How much control over your daily lives do you want the government to have?
Many Slashdot readers are "liberal" or "left-leaning" and are opposed to the War on Drugs and drug laws in general. If you don't like the government telling you what you can and cannot put in your body, why are you so eager to have the government tell you what it thinks the best and worst products are? Let the private sector handle this.
Sensitive data that needs protection should be encrypted at the app level anyway.
I'm *far* more interested in robust access-control rather than someone peeping in to my packets...
I browse at +5 Flamebait- moderation for all or moderation for none.
... use a VPN to authenticate and transmit traffic over the wireless network. Thats it. Anything else is icing on the cake, such as: monitoring who makes DHCP requests; hardening boxes which will be exposed on the wireless network and a firewall behind the access point.
.gov is useless with security, particularly when it effects the public. Dont waste time waiting for them to save you, the cavalry ain't coming.
the
What makes anyone think that the US government could do any better securing wireless devices than the millions of geeks currently working on the subject?
Cisco Aironet stuff + their Secure ACS on Solaris would do the trick just fine via LEAP.
Come on, where are the Bush-lickers to say we are all paranoid nuts, and convince us that the government really does put our interests first?
Anythin gyou put over the airwaves is gonna get hacked sooner or later, because you've just eliminated the ONE thing that makes hacking the hardest: ACCESS.
Getting access to the data is always the most difficult step, hence Social Engineering, breaking and entering, etc. Putting all your stuff on the air so anybody can drive be in a car, or set up a nice antenna across the street now lets them suck down all your data and take all the time they want to crack it.
So if you want really good security on those airwaves, well you're going to need something that wasn't put together by a bunch of geeks working on their lunchbreaks. (At least right now, in the future as security because more developed this might change). You're going to need something that a reputable company puts out and will back up with patches and changes and won't put in backdoors because they're too worried about lawsuits. Someone with an excellent track record, and who will personally answer your security questions.
You just don't get those kinds of things or assurances with today's level of Open Source Developers. Besides, if you're not willing to fork out some major cash to secure your data in a highly insecure environment, then maybe you shouldn't go there!
[[[rimshot]]]
Get your Unix fortune now!
Huh? I've seen the Pentagon--in pictures and live, up close. I can assure anyone that there was extensive damage on all floors and on the roofs leading to the inner rings. What sort of doctored crap are you looking at?
Dealing with the current state of wireless security isn't worth it.
Move all of your access points to a network that is outside the firewall. Treat the wireless network as if it is completely untrusted. Enable DHCP on the untrusted network, but do not route the network to anywhere except to the VPN concentrator.
Place a VPN Concentrator on the wireless network and give VPN clients to all of your wireless users. No VPN = NO ACCESS. Problem solved.
All of your company's encryption requirements can be handled by the VPN concentrator, which I'm sure you can get certification for.
Because the Liberal Philosophy is Government Control and Central Authority. DUH!!
You want it in your lifetime? Who's going to certify it? Better yet, who's going to pay to have it certified? Unless you want to explain, in court, to arrogant, hostile morons, why an OSS product meets the standards, you have to have somebody else state that it does. That costs money. One way or another, you're going to have to pay.
Why in court? Because at some point, somebody can claim that you failed to exercise "due diligence" for something -- somebody else's proprietary secrets, personal information, or your own insider information. That's why people pay for certification -- they can point to somebody else, whom they paid to tell them it was "good."
Its called two paper cups and a string between them but then I guess it wont be as secure because of the possibility some bird sitting on it listening in.
Wireless security in hardware is laughable. Some cisco products are resistant to the attacks airsnort makes and some strategies can be employed to make WEP more secure, but the fundamental design is too flawed to trust. Feel free to turn on WEP but never ever expect it to buy you much of anything.
The best strategy for both data security and access control is to use IPSEC, FreeS/WAN for linux and built in IPSec for Win2k and newer. If you have to use a dedicated WAP appliance, plug it directly into a gateway interface and have the wireless network on its own subnet, probably using a privately addressable subnet, since server applications on Wireless would be stupid most of the time. That gateway only would have udp port 500 and protocol 50, maybe 51 open, and the rest of the traffic coming in plain from the WEP get's dropped immediately. Now you are both forcing users to use secure transport level methods *and* preventing unauthorized use by those who do not have keys on the gateway. I'm not sure what certification it meets, but it is a proven, trusted technology as opposed to the "Wiretap Equivalent Protocol". Of course if the devices are very mobile and likely to be accessible from a public place or stolen, then you need to also have people use application level security to make sure the data is kept secret. At the endstations as well as while in transit.
XML is like violence. If it doesn't solve the problem, use more.
It's good to make sure those wireless networks are secure... given how often wireless networks can be picked up outside the actual office building: Wireless Network Visualization Project.
-- When I grow up I'd like to be a systems defenestrator.
well there is one company that has a NSA certified wireless device. http://www.govcomm.harris.com/secure-comm/
have not seen/used the product. so i can not speak more about it.
...Long ago I disassembled my TCP/IP stack and found the magic place that the final layer of frosting is put on each packet, before it gets shipped off over the network. I added code to PGP the sucker with the public key looked up by hash of MAC address for each computer on network. Obviously, I also added code to undo the PGP with the private key as soon as a frosted, freshly packaged packet is received. (So that each computer has 1) its own private key 2) the public keys of every other computer on our network).
The reason to use PKI instead of symmetric keys is so that one stolen computer can't compromise the rest of the network.
Also, after I finished I that, I added functionality to gzip each packet, thereby making it smaller. That's the fun thing -- since binary is binary is binary, you can treat packets as though they're just files, pgp them, zip them, send them off as email attachments. I once made a TCP/IP over SMTP program. It basically passed hundreds of thousands of emails, thusly:
Subject: (Automated) Packet 279463.
Body:
This is part of an automated TCP/IP over SMTP protocol.
Please find packet 279463 of this session attached.
Thank you.
~Paul
This advice is very sound. Be sure, however, that all of your machines have a host-based firewall that makes it so that the only hosts that can communicate with the wireless interface are the DHCP server and the VPN gate and then only over the ports that are required. The VPN tunnel interface can then be treated with relatively the same amount of trust as a hardwired machine inside the firewall.
Without doing this, all of your mobile clients become a very weak link in your network's security: a rogue wiresless node could hack into your laptop running IIS (over the wireless link) then plant a trojan (or just turn on routing) that gives them access to the inside of the firewall through your VPN tunnel.
Microsoft's little fiasco a while back with crackers having access to their source code was essentially this type of attack. Note that in that case it was not a wireless network that was to blame, rather it was a broadband remote user that had a compromised machine.
Because FIPS 140-1 and 140-2 are standards for hardware cryptography. They are in fact pretty simple and a device with a small embedded processor running open source software can fulfill its requirements easily, by making the device meet certain criteria about tamper resistance and so forth. However, it's the whole device that gets certified, not simply the software inside it.
Note that certification costs quite a lot, like $50K or so. And of course you can't let users tamper with the firmware (i.e. by changing it) and have the device stay certified. It might be ok for the user to take the device apart and change the firmware resulting in an uncertified device, but if certification wasn't needed the user wouldn't have needed to buy the device to begin with.
Some are mean. This one pokes at a wound that hasn't healed yet.
Show some humanity.
science is a religion
Basically what happens is, you go talk to one of a number of organizations that NIST has approved to do the validation. Then you pay them a lot of money to go over your code. This generally takes one person full time on your side to answer their question and deal with the paperwork. What they're looking for is how you handle key material, and how you implement and use various cryptographic algorithms. For example, at Netscape we had to make some modifications to our random number generator to match FIPS 186.
Even after your software is validated, you still don't know that it's "secure". All you know is that it conforms to FIPS 140-1. While this can give you some comfort as to the soundness of the design of the software, it doesn't insulate you from bugs that can create vulnerabilities.
Finally, you also have to worry about keeping your validation updated every time you change the code. You need to show that any of the changes you make don't affect the validation in order to preserve it.
http://www.signull.com these people make cheap 802.11b wifi antennas
Oooh! A web site with a corporate theme! It reminds me of the old National Geographic theme
If you want a secure wireless network why not just impliment every security procedure you can think of and stack them? I'm not too familiar with wireless, I've never actually delt with it personally, but I've talked to people who have, and they said that they use 512 bit encryption combined with a DMZ, and that locks everything down pretty well. Then if you're REALLY REALLY REALLY paranoid and you want to contain the wireless users to a certain building, you can always line the walls with a wire mesh screen to block the signal. Yes, easier said than done, I know, but if you're psychoticly paranoid it might be worth it
What about kiddie porn, offensive content or terrorism?
While most people wish that child pornography and terrorism did not exist, humanity should not be deprived of their freedom to communicate just because of how a very small number of people might use that freedom.
They are not condoning child porn, but admitting that freenet might assist, and saying that yes, its bad. But free speach is more important. Its about the same thing as someone saying yes the internet helps people spread child porn. But are you gonna take down the entire internet because of it?
That was presented at the 2001 IEEE Security and Privacy conference. The idea is that if two characters are enough milliseconds apart, they likely come from separate rows on the keyboard.
The researchers estimated about a 50x work factor reduction for cracking the password.
Then came the audience question which was a trademark of the conference, "Were you aware that $1 reported that already in $2 at $3?"
Also, we have hopes that it's a lot easier to make governments pick a standard and stick to it, collectively (as in ISO), although it can be hard to get them to agree, say, ANSI vs CSA standards and so on...
/. don't know what WHMIS (Workplace Hazardous Materials Information System) is, and that's OSHA (Williams-Steiger Occupational Safety and Health Act).
By the way, T-Ranger, my Canadian confrere, most of the Yanks on
Interrobang, tech writer in OSH&E
I'm not a geek, I'm just a clever script.
Last meeting I went to at NIST they had wireless set up for us but had no security at all on it :)
Finkployd
Yeah, sure. Get a government certification. That will keep you safe.
-jcr
The only title of honor that a tyrant can grant is "Enemy of the State."
Check out Harris at
www.govcomm.harris.com/secure-comm
They make a PCMCIA card that is due to be tested for NSA Type 1 encryption soon. I saw it in action during source selection review, and it works pretty sweet.
I believe this will meet any encryption standards they could throw at you; it's good enough for the NSA!
Enjoy.
Vote monkeys into Congress. They are cheaper and more trustworthy.
The products from Fortress Technologies are actually pretty sweet. We use dozens of the little AF-1100's all over the place with a bunch of Lucent/Agere AP's for bridging and the like. They just recently acquired the FIPS 140-1 certs for their software. I opened one up, voiding the warranty, and checked it out. (they run Linux on an embedded single board computer.) It's much simpler than IPSEC or VPN since it's layer 2. (and since it's layer 2, we're talking whatever protocol you want to run under Win32 and PocketPC.) The company I work for sells them for $1895.
THIS SPACE FOR RENT
A company called Altarus has a network protocol optimization tool that includes a FIPS-certified encryption mechanism.
We've used it to develop applications running on top of 802.11b networks, and aside from being able to address the security case, the transmission protocol does a bang-up job at optimizing data transmission over IP. The SDK is also pretty good.
***Foucault is watching you..***
We are using the the Fortress Technologies AirFortress Layer2 Encryption switch to secure wireless networks. It is FIPS 140-1 certified for government use with 3DES, AES-128, AES-192, and AES-256. We have tested it with PDAs using MIPS and StrongArm processors running Windows CE 3.0 and with wireless clients running Windows 95 (Rev. B), Win98, WinNT 4.0, and Win2K. The WinXP client is almost out of testing for release. The OS for the Fortress Security switch is Linux (they block shell access - it is a security switch), but there is no Linux client yet. If you would like for there to be a Linux client you'll have to contact the company (they say they could develop it but there hasnt been much customer demand). The email is tech@fortresstech.com. We are a wireless integrator for the government and we sell the fortress security for $1895 on our GSA schedule. I can be contacted at rhay@suprtek.com. Also, we have tested this security solution with 802.11b access points (Cisco, Orinoco, Symbol, Netgear, Linksys, etc...). Also the Agere, Avaya, and Intel APs but they are just the aforementioned vendors OEMd. The Airfortresses can be used to encrypt and decrypt either end of a bridged link or they can be used to protect a wired network from the wireless one, only allowing access to validated clients (it uses diffie helmann key exchange and encrypts every frame to and from the wireless client). I have used Airsnort, kismet, and Ethereal to observe the AirFortress encrypted packets and all you get is frames that have valid ethernet headers, a 0x8895 ethertype the fortress registered type), and encrypted bits. No IP headers. Anyway, it's government certified, it creates a very effective wireless DMZ that protects the wired network from the wireless one, using it on the client end is a no brainer (it literally is transparent to the end user so it can survive a PBCK [Problem between chair and keyboard]). We do wireless video for a Metropolitan Police Department and have a lot of wireless experience. And the AirFortress has an elegant solution for niche applications.
Richard Hay | Systems Engineer | rhay@tamos.net
This does not address Denial of Service attacks caused by birds attempting to collect bits of the string for nesting material; a preferable solution to both issues would be to run the string inside a conduit with a diameter greater than the maximum amplitude of the carrier waves. Care should be taken to plan ahead and use larger conduits than are currently needed, in order to accomodate future increases in wave size.
Otherwise, everyone will be clamoring for "fatter pipes".
"Time is an abstract concept devised by carbon-based lifeforms to monitor their ongoing decay." - Thundercleese
A protocol certified 'secure' by, say, OpenBSD, means something different than a protocol certified secure by the Feds. In one case, it stands on it's own as a pretty reasonable assurance, but something I'd look at very carefully before setting up a bank using it. In the other, we're asking 'I have a remotely advised drone armed with tank-killing missiles, and I feel secure talking to it using this protocol'.
I'm not saying that the government is necessarily 'better' at figuring this out. Just that they'll be motivated to try, and will feel free to spend lots of money researching the problem. :)
One of the things that makes cracking WEP or whatnot is the sheer regularity of the data. Those parts should probably be left out of the encryption, since they lower the value of the overall security, and (on a well designed network) there's just not much you can do with the info.
actually, government is mostly made up of people who WON'T do the right thing, who WILL follow any order no matter how stupid, illegal or unethical it is. I've always been "private sector" and have quit several jobs when confronted with ethics conflicts mandated by "higher ups". If government had more people of integrity and courage, we wouldn't have 7/8ths of the scandals, waste and wars we have.
Good quality government workers are the exception, not the rule. The small quantity of 'Good quality government workers" are constantly screwed, despite so called "whistle blower" statutes, which if you think about it, shouldn't even be necessary if we had "good quality government", which we most certainly do NOT have at this time..
Open source vs. closed source should not make any differece. The key is the cost, everytime to modify it, you have to recertify it! Granted the recertification will cost less than the first time, but it is best to isolate the security sections as much as possible.
See my other post for comments about what certificaiton actually buys you.
There's really no need for this sort of thing - 3DES or AES are strong enough to keep the NSA and KGB out if you use good keys and don't mishandle them.
Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
In any case, there are still some reasons why OSS modules don't fit well with FIPS 140.
Boy, that sounds fun, don't it? Even if you overcome the central issue of documentation, you still need a shit load of money to push it through. The entire process just isn't set up for independent groups to get certified.
All that being said, I note (by looking at the pre-validation listthat Sun is near the end of the process for certifying the NSS, which is a portion of Mozilla...
Or just one of those carrier pigeons with clay tablets...?
Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
Lets say that your wireless product uses WEP. There is nothing that would keep you from getting a FIPS 140 certification for that product, even though WEP is a really broken algorithm. All the FIPS 140 cert does is assure people that you really did implement WEP.
Aside from assurance that the product works as designed, the best use of FIPS is for hardware security designs. Unlike logical security, it is fairly easy to specify the requirements and goals you want your hardware security systems to meet. The labs that perform certification also have a lot of experience in ensuring products meet their design goals. So FIPS 140 (IMHO) is an excellent standard for hardware.
Another problem with any certification, including FIPS 140, is the need to recertify anytime you change the certified sections. The way most people do this, is to compartmentalize the security sections (which hopefully rarely change). Never worked for my last job, where we had to change these types of sections several times a year.
So, to directly answer your question, I think asking for a FIP 140 certified product will not buy you much security for your problem. The idea is to solve the security problems as they are installed in your system. The Common Criteria standards will probably work much better for this (but here your organization is responsible for getting the certification, although it helps if your vendors can supply components that are already certified).
Who's asking you to get it certified? Do they know what that means, or whether there are actually products with certifications that make sense for your environment? Do you work for some kind of government organization that has formal requirements for it (and if so can you negotiate a waiver in return for using appropriate protections)? Or do you work for private industry that can make intelligent decisions on your own (in which case get your management to blow away your Info Security folks and tell them to go provide useful protection rather than getting in the way of real work)? Or do you work for some corporation that does military contracting and therefore has bureaucratic rules to follow (that's probably the hardest version to fix, and may depend on whether you can argue that your site is separate.)
Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
It's way overkill for your small business, and I doubt you could afford it, but Harris has recently started taking orders for it's new 802.11b wireless network cards and access points They're Type 1 encryption, as opposed to FIPS category devices which are Type 3. FIPS level security is for sensitive, but unclassified information, meaning it would be bad, but not devestating if this info was cracked. Type 1 devices are used to protect Classified information, seriously bad juju could happen if the wrong people get this info.
Not only that, they have a price-point about half that of previous Type 1 encryption devices, about 2700 per node as opposed to about 5k per node.
Hope this helps, they have a nice datasheet and brief on the site.
Steven
-- I have marked myself unwilling to moderate-- I don't have other accounts to artificially inflate the karma of
I will claim quite a bit of ignorance on this issue. I have just recently set up my own 802.11b system at home. Because it's inside my firewall (a Linux box that acts as router/web cache/firewall), I didn't want it to be open to the world (and I hope it isn't). The rest of my machines are Windows (it's my job, sorry), and they're all pretty exposed, hence the Linux box in the middle. I got a Linksys AP and card.
I had a lot of problems getting WEP to work properly (though I think I could get it working now), so I simply did a MAC address restriction on the AP and, if I understand it properly, nobody should be able to use my AP but a machine with my laptop's MAC address (which is supposedly unique). That doesn't mean the traffic can't be monitored. For this, I don't know, but I'm not real concerned about that.
Wouldn't a combination of WEP and MAC address restrictions be enough for most places, though?
Actually, Altarus is in the FIPS process now; they are not yet FIPS certified. Sometime Q4 would be a good estimate.
If you tell 3000 people what your WEP key is, you don't have a secret anymore.
When you combine that problem with the logistical mess of giving out keys and the loss of your ability to provide access for visitors, you would be better of putting your wireless network outside your company firewall. Then, use VPN clients to pierce your firewall the same way you would if you were home, in a hotel room, or at an airport.
How about checking your formating, PLEASE!
Greetings, I'm the CTO for Artificial Surfworks, Inc - and we have an open-source, IPSec wireless access point called Firewalker that is in alpha testing now. Our Firewalker product is built using OpenAP, OpenSSL, FreeS/WAN and Sun's J2ME engine. It supports IPSec VPN connections from Linux and Windows 2000/XP clients and features a user-friendly cross-platform Java application for networking and security configuration. Firewalker supports X.509 certificates and FreeS/WAN keys, 3DES and AES encryption, and will be undergoing certification next month. Please see Firewalker for more details.
WEP + MAc = 2% more secure then nothing at all. WEP is crackable. period. MAC is spoofable. Not much good there. ONLY VPN and the like's will make a 802.11b network secure in any way. If you want a secure network, run FHSS and NOT DSSS networks. FH, to date, has not been cracked, Reasion, you have 83mhz of bandwidth and you can hop to any 2(if i reemember right)mhz channel you want. there are 20 channels after spacing and ect. Assuming you jumped and never hit the same channel twice in one sequence, thats 2432902008176640000 differnet sequences, Assuming you ALWAYs start at channel 1. Before you can get the ESSID and ect of a DH network you have to have the FH 100% correct. It take's VERY costly tools to do that, and even then its not easy and interference change's the hop sequence. Cracked`Soup
Cisco's VPN client offers a built-in host based firewall, if you configure the VPN not to run in split-tunnel mode.
Once the VPN is established, all traffic is routed through the VPN and all inbound traffic is thrown away.
This creates a minor inconvience to users who want to print to local devices on the 802.11 lan, but you just move those inside the corporate network.
There is at least one piece of FIPS 140-certified OSS software. See the algorithm-specific validation lists for DES, 3DES, SHA-1, etc.
Apparently you have to wear camouflage to use these cards. I suppose that provides added security.
Linus, please stop. This shit is getting beyond annoying, and I get destructive at that stage. Please stop following me around.
return 0;
}
OK! I'll have sweaty sex with you, but you have to agree to stop stalking me.
return 0;
}
it is not good to threaten me
return 0;
}