U.S. Government Certified Wireless Security Products?

superid asks: "Our facility is just beginning to install small wireless 802.11b networks to support our office developers and staff. I think most people end up happy with wireless and enjoy the freedom. Our little branch office has about 100 people and our whole facility has close to 3000 people, so it's reasonable to expect our wireless needs to grow. However, I have just received an email, sent to all network administrators of our facility, directing us to shut down all wireless devices until they are certified by our Information Security department. Of course I'm not surprised by this. I'm aware of the problems with WEP and tools like airsnort. I know there are numerous security products and projects, but can any of them trace a lineage back to FIPS? Wouldn't it be a major victory to see an OSS product listed as validated by NIST?"

"Here are the certification requirements:

Encryption must be implemented end-to-end over an assured channel and shall meet the FIPS 140-1 or 140-2, Overall Level 2 (Triple-DES or AES) standard, at a minimum.

I know there are uncertified software solutions, but for ease of integration, our office has chosen AirFortress for a hardware solution. This will run us about $2,500 for our small office and is quite reasonable. However, it would be nice if there was an Open Source solution as well. The difference is that any OSS solution must be 'certified'."

Why government certified?

[Zach`]

Why do we jump to have the government certify our electronic devices, standards, and protocols? Why can't we merely rely on the private sector to develop sound products? Why don't we fight for LESS government and LESS government intervention? How much control over your daily lives do you want the government to have?

Many Slashdot readers are "liberal" or "left-leaning" and are opposed to the War on Drugs and drug laws in general. If you don't like the government telling you what you can and cannot put in your body, why are you so eager to have the government tell you what it thinks the best and worst products are? Let the private sector handle this.

Re:Why government certified?

[CodeMonky]

Because it's standard.
Because it's perceived as good.
Because if you want to get a government contract you better meat government standards.
Because the government is supposed to have what is best for the people in mind.
Because private corporations have what is best for them in mind and really want you to pay for their product and not their competitors.

Re:Why government certified?

[RollingThunder]

Why?

Simple. The government has several large groups of people paid very well to be professionally paranoid, and to whom cost isn't a real concern - only the actual validity of the security.

Therefore, if THEY say that it's secure, you've got a pretty good chance of it being good enough. Much better than trusting that Vendor XYZ's pretty shiny brochure says "secure!" five times, and no negative reviews show up online.

Trust the experts. In this case, many of the experts happen to work for the government. If they worked in the private sector (and some do, but not most, and they're almost all biased), I'd look to them to certify things.

Re:Why government certified?

[CaffeineAddict2001]

Because individual corporations are too self-centered and greedy to agree on a standard and stick to it.

Re:Why government certified?

[Squeamish+Ossifrage]

Well, I think there's a big difference between "government regulation" and "government certification." Regulation is forcing you to do (or not do) something, while a certification is just providing information. As long as the certification isn't legally mandated, this doesn't strike me as bein so big a problem: It may be wasteful or stupid, but it's not opressive.

I tend to dislike government involvement at least as much as the next guy (which is sort of ironic, considering what I do) but this seems fairly reasonable. One thing that governments have done for a long time is establish standards (especially units of measure) and test whether products live up to their claims vis a vis those standards. I don't think it's that big a jump from certifying that a "pound" of flour really weighs a standard pound to certifying that a wireless networking hub offers the security it claims to.

Re:Why government certified?

[gwernol]

Why do we jump to have the government certify our electronic devices, standards, and protocols? Why can't we merely rely on the private sector to develop sound products?

The private sector has a really poor track record of developing independent standards by which products can be compared. One of the main purposes of a business is to develop competitive advantage over its rivals, this is counter to the notion of having universal standards against which your products are measured.

This is (IMHO) a great example of where the government can provide a useful service to citizens that the private sector is unlikely to generate. A standard certification means that I can compare and contrast products from different manufacturers. I don't have to takes Manufactuer X's claim of "superior security protocols" at face value, I can see whether it meets certain well-defined criteria.

Its this kind of oversight that ensures that something like a true free market can operate. A true free market requires consumers to have excellent/perfect information with which to compare products. Private enterprise is incented to stifle the flow of such information - see recent attempts by companies to use copyright law prevent the publication of independent reviews of their products. We need a government - which ideally is free from commercial biases - to provide enough regulation and guidance to enable a true free market to operate.

Why don't we fight for LESS government and LESS government intervention...

If you don't believe there are lots of people doing exactly this you are very much misinformed. If you believe we should all fight for such things you don't understand people and you don't understand democracy.

Re:Why government certified?

[American+AC+in+Paris]

Why do we jump to have the government certify our electronic devices, standards, and protocols? Why can't we merely rely on the private sector to develop sound products? Why don't we fight for LESS government and LESS government intervention? How much control over your daily lives do you want the government to have?

Many Slashdot readers are "liberal" or "left-leaning" and are opposed to the War on Drugs and drug laws in general. If you don't like the government telling you what you can and cannot put in your body, why are you so eager to have the government tell you what it thinks the best and worst products are? Let the private sector handle this.

An excellent point, my "conservative" or "right-leaning" friend!

I, for one, trust the private sector to make important standards decisions in a just and unbiased manner. I know that can count on private enterprise to interact with the public an an open and honest fashion, and think that your average board of directors has a much better handle on what's going on with their company than some hare-brained committee of bureaucrats has over some bloated, complex government scheme.

Besides, I don't want such important things left up to some government agency that could disappear from the face of the planet in an instant--no, thank you, I'll take private enterprise any day. They're really looking out for what's best for me.

...perhaps we should look to Europe for examples of how to do things properly...

Re:Why government certified?

[Fizzlewhiff]

Umm.... The writer works in a government facility and is asking about wireless products that meet government standards for security.

This isn't about bigger government or any other conspiracy where in order to buy new hardware it has to have passed government inspectors. Relax, you won't be seeing a purple USDA stamp of approval on your NIC any time soon, unless it is made out of beef. Mmmmmm... 802.11beef, its what's for dinner.

Re:Why government certified?

[Zeinfeld]

Why do we jump to have the government certify our electronic devices, standards, and protocols?

Because they are one of the key parties able to give an endorsement to a product. The microcomputer market exploded when IBM entered and provided it with the necessary endorsement, before IBM entered the fray micros were considered by many IT managers to be toys. The Web took off outside the computer industry after the Whitehouse went on line, before that no F500 company that was not in the computer or communications business would give us time of day.

The issue here is that the WEP-I standard was baddly bodged. So there is going to have to be an endorsement by an opinion leader before people feel safe to use the improved WEP-II.

The idea that NIST could provide that endorsement is not a bad one, clearly none of the industry players can do it at the moment. This is despite the fact that the 802.11 security group was acting on the problems before they were brought to public attention in the Berkely paper.

The standard that is being generally adopted is 802.1X, which is a general authentication mechanism for port level access that was originally developed for ethernet. Microsoft deployed a profile of this in the Windows XP support for WEP. There may be some divergence between this and the eventual standard since Windows XP only a short time after the WEP flaws were publicised.

WEPII does not provide perfect security, there remain features of the design which have the property that although nobody knows an exploit are still rather unsatisfactory. The biggest of these being that they still use RC4 where I would much prefer AES. However, the processors on the current 802 cards don't have the power to support AES and the liability is not great enough to justify throwing away all the existing cards.

On the OSS front, the best thing to do in this instance would be to follow Microsoft's approach and use a compatible profile of 802.1X. For the code to be any use to people it is going to have to work with the 802 hardware sold by the major vendors.

The big problem at the moment is that the access point hardware with support for the more advanced authentication mechanisms tends to be sold as $1500 enterprise solutions rather than $150 SOHO boxes, grrrr.

What I would really like is for someone to develop a cheap ($150) firewall router type box that supports Linux (or BSD) and PCMCIA to plug in an access card.

WEP is useless anyway

[scosol]

Sensitive data that needs protection should be encrypted at the app level anyway.

I'm *far* more interested in robust access-control rather than someone peeping in to my packets...

Re:WEP is useless anyway

[SuiteSisterMary]

In this case, I'm talking traffic usage patterns.

Lets say you have AppX, which is used to decode, say, Albanian diplomatic encryption schemes. It's traffic is very very distinctive, over the network. Encrypted to hell and back, but very very distinctive.

So, Albania wants to find out if it's ciphers are cracked. So it puts out a red herring, then listens to the network traffic radiating from the NSA building. Sure, it's encrypted, but who cares? They can tell.

This sounds stupid, and contrived, but remember, during the Cold War, the Russians would watch the pizza restaurants local to places of interest. If a bunch of pizzas are delivered to a certain door of the Pentagon at 10 at night, you know something's up.

Similarly, American diplomats in Russia were, and probably still are, told to do wierd things. Why? To mask the signals and dead drops and stuff being done by actual American intelligence officers.

OSI won't work...

[ImaLamer]

OSI won't work for gov't certifications because the backdoor would be visible to the world.

[[[rimshot]]]

Use VPN, forget WEP.

[netik]

Dealing with the current state of wireless security isn't worth it.

Move all of your access points to a network that is outside the firewall. Treat the wireless network as if it is completely untrusted. Enable DHCP on the untrusted network, but do not route the network to anywhere except to the VPN concentrator.

Place a VPN Concentrator on the wireless network and give VPN clients to all of your wireless users. No VPN = NO ACCESS. Problem solved.

All of your company's encryption requirements can be handled by the VPN concentrator, which I'm sure you can get certification for.

IPSec

[Junta]

Wireless security in hardware is laughable. Some cisco products are resistant to the attacks airsnort makes and some strategies can be employed to make WEP more secure, but the fundamental design is too flawed to trust. Feel free to turn on WEP but never ever expect it to buy you much of anything.

The best strategy for both data security and access control is to use IPSEC, FreeS/WAN for linux and built in IPSec for Win2k and newer. If you have to use a dedicated WAP appliance, plug it directly into a gateway interface and have the wireless network on its own subnet, probably using a privately addressable subnet, since server applications on Wireless would be stupid most of the time. That gateway only would have udp port 500 and protocol 50, maybe 51 open, and the rest of the traffic coming in plain from the WEP get's dropped immediately. Now you are both forcing users to use secure transport level methods *and* preventing unauthorized use by those who do not have keys on the gateway. I'm not sure what certification it meets, but it is a proven, trusted technology as opposed to the "Wiretap Equivalent Protocol". Of course if the devices are very mobile and likely to be accessible from a public place or stolen, then you need to also have people use application level security to make sure the data is kept secret. At the endstations as well as while in transit.

Open source software can't meet this standard...

[splorf]

and neither can closed-source software. Why?

Because FIPS 140-1 and 140-2 are standards for hardware cryptography. They are in fact pretty simple and a device with a small embedded processor running open source software can fulfill its requirements easily, by making the device meet certain criteria about tamper resistance and so forth. However, it's the whole device that gets certified, not simply the software inside it.

Note that certification costs quite a lot, like $50K or so. And of course you can't let users tamper with the firmware (i.e. by changing it) and have the device stay certified. It might be ok for the user to take the device apart and change the firmware resulting in an uncertified device, but if certification wasn't needed the user wouldn't have needed to buy the device to begin with.

*You* can't use that solution

[billstewart]

"NSA Type 1" encryption means "some proprietary chip from the NSA that relies on obscurity as one of its security techniques, and unavailability to the general public as another." Unless you're working on an appropriate government project with a comsec account, *you* can't have one of the chips. According to the data sheet, depending on the keys you've got installed, it's either handled as

• Unclassified Key or without Key - Controlled Cryptographic Item (CCI)
• With Secret Key - SECRET item.

There's really no need for this sort of thing - 3DES or AES are strong enough to keep the NSA and KGB out if you use good keys and don't mishandle them.

I haven't seen anyone actually answer you, so here

[Mtgman]

It's way overkill for your small business, and I doubt you could afford it, but Harris has recently started taking orders for it's new 802.11b wireless network cards and access points They're Type 1 encryption, as opposed to FIPS category devices which are Type 3. FIPS level security is for sensitive, but unclassified information, meaning it would be bad, but not devestating if this info was cracked. Type 1 devices are used to protect Classified information, seriously bad juju could happen if the wrong people get this info.

Not only that, they have a price-point about half that of previous Type 1 encryption devices, about 2700 per node as opposed to about 5k per node.

Hope this helps, they have a nice datasheet and brief on the site.

Steven