Slashdot Mirror
U.S. Government Certified Wireless Security Products?
superid asks: "Our facility is just beginning to install small wireless 802.11b networks to support our office developers and staff. I think most people end up happy with wireless and enjoy the freedom. Our little branch office has about 100 people and our whole facility has close to 3000 people, so it's reasonable to expect our wireless needs to grow. However, I have just received an email, sent to all network administrators of our facility, directing us to shut down all wireless devices until they are certified by our Information Security department. Of course I'm not surprised by this. I'm aware of the problems with WEP and tools like airsnort. I know there are numerous security products and projects, but can any of them trace a lineage back to FIPS? Wouldn't it be a major victory to see an OSS product listed as validated by NIST?"
"Here are the certification requirements:
Encryption must be implemented end-to-end over an assured channel and shall meet the FIPS 140-1 or 140-2, Overall Level 2 (Triple-DES or AES) standard, at a minimum.I know there are uncertified software solutions, but for ease of integration, our office has chosen AirFortress for a hardware solution. This will run us about $2,500 for our small office and is quite reasonable. However, it would be nice if there was an Open Source solution as well. The difference is that any OSS solution must be 'certified'."
Because it's standard.
Because it's perceived as good.
Because if you want to get a government contract you better meat government standards.
Because the government is supposed to have what is best for the people in mind.
Because private corporations have what is best for them in mind and really want you to pay for their product and not their competitors.
--"Karma is justice without the satisfaction"
Cisco Aironet stuff + their Secure ACS on Solaris would do the trick just fine via LEAP.
Wireless security in hardware is laughable. Some cisco products are resistant to the attacks airsnort makes and some strategies can be employed to make WEP more secure, but the fundamental design is too flawed to trust. Feel free to turn on WEP but never ever expect it to buy you much of anything.
The best strategy for both data security and access control is to use IPSEC, FreeS/WAN for linux and built in IPSec for Win2k and newer. If you have to use a dedicated WAP appliance, plug it directly into a gateway interface and have the wireless network on its own subnet, probably using a privately addressable subnet, since server applications on Wireless would be stupid most of the time. That gateway only would have udp port 500 and protocol 50, maybe 51 open, and the rest of the traffic coming in plain from the WEP get's dropped immediately. Now you are both forcing users to use secure transport level methods *and* preventing unauthorized use by those who do not have keys on the gateway. I'm not sure what certification it meets, but it is a proven, trusted technology as opposed to the "Wiretap Equivalent Protocol". Of course if the devices are very mobile and likely to be accessible from a public place or stolen, then you need to also have people use application level security to make sure the data is kept secret. At the endstations as well as while in transit.
XML is like violence. If it doesn't solve the problem, use more.
Because FIPS 140-1 and 140-2 are standards for hardware cryptography. They are in fact pretty simple and a device with a small embedded processor running open source software can fulfill its requirements easily, by making the device meet certain criteria about tamper resistance and so forth. However, it's the whole device that gets certified, not simply the software inside it.
Note that certification costs quite a lot, like $50K or so. And of course you can't let users tamper with the firmware (i.e. by changing it) and have the device stay certified. It might be ok for the user to take the device apart and change the firmware resulting in an uncertified device, but if certification wasn't needed the user wouldn't have needed to buy the device to begin with.
Basically what happens is, you go talk to one of a number of organizations that NIST has approved to do the validation. Then you pay them a lot of money to go over your code. This generally takes one person full time on your side to answer their question and deal with the paperwork. What they're looking for is how you handle key material, and how you implement and use various cryptographic algorithms. For example, at Netscape we had to make some modifications to our random number generator to match FIPS 186.
Even after your software is validated, you still don't know that it's "secure". All you know is that it conforms to FIPS 140-1. While this can give you some comfort as to the soundness of the design of the software, it doesn't insulate you from bugs that can create vulnerabilities.
Finally, you also have to worry about keeping your validation updated every time you change the code. You need to show that any of the changes you make don't affect the validation in order to preserve it.
We are using the the Fortress Technologies AirFortress Layer2 Encryption switch to secure wireless networks. It is FIPS 140-1 certified for government use with 3DES, AES-128, AES-192, and AES-256. We have tested it with PDAs using MIPS and StrongArm processors running Windows CE 3.0 and with wireless clients running Windows 95 (Rev. B), Win98, WinNT 4.0, and Win2K. The WinXP client is almost out of testing for release. The OS for the Fortress Security switch is Linux (they block shell access - it is a security switch), but there is no Linux client yet. If you would like for there to be a Linux client you'll have to contact the company (they say they could develop it but there hasnt been much customer demand). The email is tech@fortresstech.com. We are a wireless integrator for the government and we sell the fortress security for $1895 on our GSA schedule. I can be contacted at rhay@suprtek.com. Also, we have tested this security solution with 802.11b access points (Cisco, Orinoco, Symbol, Netgear, Linksys, etc...). Also the Agere, Avaya, and Intel APs but they are just the aforementioned vendors OEMd. The Airfortresses can be used to encrypt and decrypt either end of a bridged link or they can be used to protect a wired network from the wireless one, only allowing access to validated clients (it uses diffie helmann key exchange and encrypts every frame to and from the wireless client). I have used Airsnort, kismet, and Ethereal to observe the AirFortress encrypted packets and all you get is frames that have valid ethernet headers, a 0x8895 ethertype the fortress registered type), and encrypted bits. No IP headers. Anyway, it's government certified, it creates a very effective wireless DMZ that protects the wired network from the wireless one, using it on the client end is a no brainer (it literally is transparent to the end user so it can survive a PBCK [Problem between chair and keyboard]). We do wireless video for a Metropolitan Police Department and have a lot of wireless experience. And the AirFortress has an elegant solution for niche applications.
Richard Hay | Systems Engineer | rhay@tamos.net
It's way overkill for your small business, and I doubt you could afford it, but Harris has recently started taking orders for it's new 802.11b wireless network cards and access points They're Type 1 encryption, as opposed to FIPS category devices which are Type 3. FIPS level security is for sensitive, but unclassified information, meaning it would be bad, but not devestating if this info was cracked. Type 1 devices are used to protect Classified information, seriously bad juju could happen if the wrong people get this info.
Not only that, they have a price-point about half that of previous Type 1 encryption devices, about 2700 per node as opposed to about 5k per node.
Hope this helps, they have a nice datasheet and brief on the site.
Steven
-- I have marked myself unwilling to moderate-- I don't have other accounts to artificially inflate the karma of