Slashdot Mirror
U.S. Government Certified Wireless Security Products?
superid asks: "Our facility is just beginning to install small wireless 802.11b networks to support our office developers and staff. I think most people end up happy with wireless and enjoy the freedom. Our little branch office has about 100 people and our whole facility has close to 3000 people, so it's reasonable to expect our wireless needs to grow. However, I have just received an email, sent to all network administrators of our facility, directing us to shut down all wireless devices until they are certified by our Information Security department. Of course I'm not surprised by this. I'm aware of the problems with WEP and tools like airsnort. I know there are numerous security products and projects, but can any of them trace a lineage back to FIPS? Wouldn't it be a major victory to see an OSS product listed as validated by NIST?"
"Here are the certification requirements:
Encryption must be implemented end-to-end over an assured channel and shall meet the FIPS 140-1 or 140-2, Overall Level 2 (Triple-DES or AES) standard, at a minimum.I know there are uncertified software solutions, but for ease of integration, our office has chosen AirFortress for a hardware solution. This will run us about $2,500 for our small office and is quite reasonable. However, it would be nice if there was an Open Source solution as well. The difference is that any OSS solution must be 'certified'."
Because it's standard.
Because it's perceived as good.
Because if you want to get a government contract you better meat government standards.
Because the government is supposed to have what is best for the people in mind.
Because private corporations have what is best for them in mind and really want you to pay for their product and not their competitors.
--"Karma is justice without the satisfaction"
Why?
Simple. The government has several large groups of people paid very well to be professionally paranoid, and to whom cost isn't a real concern - only the actual validity of the security.
Therefore, if THEY say that it's secure, you've got a pretty good chance of it being good enough. Much better than trusting that Vendor XYZ's pretty shiny brochure says "secure!" five times, and no negative reviews show up online.
Trust the experts. In this case, many of the experts happen to work for the government. If they worked in the private sector (and some do, but not most, and they're almost all biased), I'd look to them to certify things.
[[[rimshot]]]
Get your Unix fortune now!
Dealing with the current state of wireless security isn't worth it.
Move all of your access points to a network that is outside the firewall. Treat the wireless network as if it is completely untrusted. Enable DHCP on the untrusted network, but do not route the network to anywhere except to the VPN concentrator.
Place a VPN Concentrator on the wireless network and give VPN clients to all of your wireless users. No VPN = NO ACCESS. Problem solved.
All of your company's encryption requirements can be handled by the VPN concentrator, which I'm sure you can get certification for.
Wireless security in hardware is laughable. Some cisco products are resistant to the attacks airsnort makes and some strategies can be employed to make WEP more secure, but the fundamental design is too flawed to trust. Feel free to turn on WEP but never ever expect it to buy you much of anything.
The best strategy for both data security and access control is to use IPSEC, FreeS/WAN for linux and built in IPSec for Win2k and newer. If you have to use a dedicated WAP appliance, plug it directly into a gateway interface and have the wireless network on its own subnet, probably using a privately addressable subnet, since server applications on Wireless would be stupid most of the time. That gateway only would have udp port 500 and protocol 50, maybe 51 open, and the rest of the traffic coming in plain from the WEP get's dropped immediately. Now you are both forcing users to use secure transport level methods *and* preventing unauthorized use by those who do not have keys on the gateway. I'm not sure what certification it meets, but it is a proven, trusted technology as opposed to the "Wiretap Equivalent Protocol". Of course if the devices are very mobile and likely to be accessible from a public place or stolen, then you need to also have people use application level security to make sure the data is kept secret. At the endstations as well as while in transit.
XML is like violence. If it doesn't solve the problem, use more.
Why do we jump to have the government certify our electronic devices, standards, and protocols? Why can't we merely rely on the private sector to develop sound products?
The private sector has a really poor track record of developing independent standards by which products can be compared. One of the main purposes of a business is to develop competitive advantage over its rivals, this is counter to the notion of having universal standards against which your products are measured.
This is (IMHO) a great example of where the government can provide a useful service to citizens that the private sector is unlikely to generate. A standard certification means that I can compare and contrast products from different manufacturers. I don't have to takes Manufactuer X's claim of "superior security protocols" at face value, I can see whether it meets certain well-defined criteria.
Its this kind of oversight that ensures that something like a true free market can operate. A true free market requires consumers to have excellent/perfect information with which to compare products. Private enterprise is incented to stifle the flow of such information - see recent attempts by companies to use copyright law prevent the publication of independent reviews of their products. We need a government - which ideally is free from commercial biases - to provide enough regulation and guidance to enable a true free market to operate.
Why don't we fight for LESS government and LESS government intervention...
If you don't believe there are lots of people doing exactly this you are very much misinformed. If you believe we should all fight for such things you don't understand people and you don't understand democracy.
Sailing over the event horizon
Because FIPS 140-1 and 140-2 are standards for hardware cryptography. They are in fact pretty simple and a device with a small embedded processor running open source software can fulfill its requirements easily, by making the device meet certain criteria about tamper resistance and so forth. However, it's the whole device that gets certified, not simply the software inside it.
Note that certification costs quite a lot, like $50K or so. And of course you can't let users tamper with the firmware (i.e. by changing it) and have the device stay certified. It might be ok for the user to take the device apart and change the firmware resulting in an uncertified device, but if certification wasn't needed the user wouldn't have needed to buy the device to begin with.
Many Slashdot readers are "liberal" or "left-leaning" and are opposed to the War on Drugs and drug laws in general. If you don't like the government telling you what you can and cannot put in your body, why are you so eager to have the government tell you what it thinks the best and worst products are? Let the private sector handle this.
An excellent point, my "conservative" or "right-leaning" friend!
I, for one, trust the private sector to make important standards decisions in a just and unbiased manner. I know that can count on private enterprise to interact with the public an an open and honest fashion, and think that your average board of directors has a much better handle on what's going on with their company than some hare-brained committee of bureaucrats has over some bloated, complex government scheme.
Besides, I don't want such important things left up to some government agency that could disappear from the face of the planet in an instant--no, thank you, I'll take private enterprise any day. They're really looking out for what's best for me.
Obliteracy: Words with explosions