U.S. Government Certified Wireless Security Products?

superid asks: "Our facility is just beginning to install small wireless 802.11b networks to support our office developers and staff. I think most people end up happy with wireless and enjoy the freedom. Our little branch office has about 100 people and our whole facility has close to 3000 people, so it's reasonable to expect our wireless needs to grow. However, I have just received an email, sent to all network administrators of our facility, directing us to shut down all wireless devices until they are certified by our Information Security department. Of course I'm not surprised by this. I'm aware of the problems with WEP and tools like airsnort. I know there are numerous security products and projects, but can any of them trace a lineage back to FIPS? Wouldn't it be a major victory to see an OSS product listed as validated by NIST?"

"Here are the certification requirements:

Encryption must be implemented end-to-end over an assured channel and shall meet the FIPS 140-1 or 140-2, Overall Level 2 (Triple-DES or AES) standard, at a minimum.

I know there are uncertified software solutions, but for ease of integration, our office has chosen AirFortress for a hardware solution. This will run us about $2,500 for our small office and is quite reasonable. However, it would be nice if there was an Open Source solution as well. The difference is that any OSS solution must be 'certified'."

Why government certified?

[Zach`]

Why do we jump to have the government certify our electronic devices, standards, and protocols? Why can't we merely rely on the private sector to develop sound products? Why don't we fight for LESS government and LESS government intervention? How much control over your daily lives do you want the government to have?

Many Slashdot readers are "liberal" or "left-leaning" and are opposed to the War on Drugs and drug laws in general. If you don't like the government telling you what you can and cannot put in your body, why are you so eager to have the government tell you what it thinks the best and worst products are? Let the private sector handle this.

Certified Wireless products

well there is one company that has a NSA certified wireless device. http://www.govcomm.harris.com/secure-comm/

have not seen/used the product. so i can not speak more about it.

Re:WEP is useless anyway

[SuiteSisterMary]

In this case, I'm talking traffic usage patterns.

Lets say you have AppX, which is used to decode, say, Albanian diplomatic encryption schemes. It's traffic is very very distinctive, over the network. Encrypted to hell and back, but very very distinctive.

So, Albania wants to find out if it's ciphers are cracked. So it puts out a red herring, then listens to the network traffic radiating from the NSA building. Sure, it's encrypted, but who cares? They can tell.

This sounds stupid, and contrived, but remember, during the Cold War, the Russians would watch the pizza restaurants local to places of interest. If a bunch of pizzas are delivered to a certain door of the Pentagon at 10 at night, you know something's up.

Similarly, American diplomats in Russia were, and probably still are, told to do wierd things. Why? To mask the signals and dead drops and stuff being done by actual American intelligence officers.

*You* can't use that solution

[billstewart]

"NSA Type 1" encryption means "some proprietary chip from the NSA that relies on obscurity as one of its security techniques, and unavailability to the general public as another." Unless you're working on an appropriate government project with a comsec account, *you* can't have one of the chips. According to the data sheet, depending on the keys you've got installed, it's either handled as

• Unclassified Key or without Key - Controlled Cryptographic Item (CCI)
• With Secret Key - SECRET item.

There's really no need for this sort of thing - 3DES or AES are strong enough to keep the NSA and KGB out if you use good keys and don't mishandle them.