Wireless Rule Focuses on Security

August 2006
By Henry S. Kenyon

The U.S. Defense Department’s new memorandum on 802.11 wireless systems states that all wireless devices and networks connecting to the Global Information Grid must meet government security and interoperability standards.
Effort emphasizes standards compliance for acquisition of commercial systems.

The U.S. Defense Department has launched a new policy initiative designed to provide increased security and interoperability for wireless devices and systems. The undertaking provides rules for the use of commercial wireless equipment on government networks and emphasizes the adoption of open standards for wireless technologies.

The effort was formalized in a memorandum released on June 2 and specifically outlines the use of Institute of Electrical and Electronics Engineers (IEEE) 802.11 and 802.11i wireless local area network (WLAN) devices and systems capable of storing, processing and transmitting unclassified data within the Global Information Grid. The new document complements Defense Department Directive (DoDD) 8100.2, which lays out the fundamental regulations for acquiring and leveraging commercial technologies.

Three factors led to the policy initiative behind the memorandum, explains Danny P. Price, deputy director for wireless policy, Office of the Assistant Secretary of Defense for Networks and Information Integration (OASD NII), CrystalCity, Virginia. The first was a need to create more ways to install local area networks (LANs) in Defense Department environments. Price notes that in some cases, WLANs are a more flexible, cost-efficient and easily installed solution than wired LANs.

A second factor influencing the government’s decision to issue the policy was the growing number of local WLANs being set up across the department. Price explains that these systems were installed with different implementation schemes, and this lack of coordination could lead to interoperability and security issues across the department.

Rapidly advancing commercial technology was the third issue the government wanted to address because improved capabilities make WLAN solutions useful and attractive to Defense Department personnel.

To address these factors, the OASD NII created a working group that was responsible for planning operational needs and formulating a policy framework. Two of critical areas of consideration were the need for better security and the requirement for interoperability, Price says.

The memorandum dictates that all wireless equipment purchased at the beginning of fiscal year 2007 must be acquired, configured and operated to ensure joint interoperability, open standards and architectures. Additionally, Defense Department agencies and service components have until December 2, 2006—180 days from the memorandum’s June 2 release date—to submit migration plans outlining how their legacy equipment will achieve compliance.

Price notes that prior to the publication of the initiative, the department followed the guidelines set forth in DoDD 8100.2. The new document offers supplemental guidance to the 8100.2 requirements by stipulating more specific security and interoperability guidelines for the unclassified use of commercial WLANs. Price adds that 802.11 technologies currently are being used throughout the Defense Department to a limited extent but that many are proprietary systems. He explains that it was necessary to use these products initially because they were the only ones available that met the National Institute of Standards and Technology (NIST) Federal Information Processing Standards (FIPS) Publication 140-2 validation requirements of DoDD 8100.2.

The memorandum states that the military can deploy only standards-based WLAN technologies complying with IEEE 802.11 guidelines. Any purchased wireless product with cryptographic functionality must meet FIPS 140-2 Overall Level 1 validation. And, all information assurance-enabled WLAN products require National Information Assurance Partnership (NIAP) Common Criteria Evaluation and Validation, and all wireless systems and components must meet overall end-to-end interoperability requirements approved by the Joint Interoperability Test Command.

Wireless products also must obtain commercial interoperability certifications. WLAN-enabled devices such as network interface cards and access points that store, process or transmit unclassified data must be Wireless Fidelity (Wi-Fi) Alliance certified and Wi-Fi Protected Access 2 (WPA2)-enterprise certified for 802.11 interoperability.

Unclassified data transmitted between WLAN-enabled devices and systems is required to travel over end-to-end assured channels. The data must meet NIST Cryptographic Module Validation Program guidelines to meet FIPS 140-2 requirements at minimum Overall Level 1. The memo stipulates that WLAN infrastructure devices that store keying information used in public environments conform to Level 2 FIPS standards.

Encryption for stored data will be through individual files, file systems or media such as whole disk encryption and memory cards. WLAN-enabled portable electronic devices (PEDs) must meet FIPS 140-2 Overall Level 1 or Level 2 requirements depending on the sensitivity of the data. All sensitive-but-unclassified information must be encrypted.

Personal firewalls also are required for all WLAN-enabled PEDs, and mobile devices must have validated anti-virus software installed on them. Additionally, the memorandum dictates that all of the Defense Department’s agencies apply a defense-in-depth security approach to their WLAN devices, systems and technologies.

Defense Department agencies must implement WLAN systems that are IEEE 802.11i compliant and WPA2 Enterprise certified and that use 802.1X access control with extensible authentication protocol transport layer security mutual authentication. These devices and systems also are required to be configured to exclusively use FIPS 140-2 minimum Overall Level 1 validated Advanced Encryption Standard (AES)-Counter with Cipher Block Changing-Message Authentication Code Protocol communications. In addition, WLAN devices require strong identification and authentication techniques at the device and network levels.

Agencies are required to ensure that wireless network intrusion detection systems (WIDS) are continuously monitoring activity. WIDS must be validated under NIAP criteria as meeting U.S. government standards for basic and medium levels of security. WIDS are necessary for all Defense Department wired and wireless LANs. According to the memorandum, WIDS monitoring will ensure full awareness of any wireless activity within department network environments. Wireless intrusion detection is required, including a location-detection capability for authorized and unauthorized wireless devices.

The memorandum notes some exceptions to the security rules. For example, noncompliant WLAN devices and systems require a document justifying their use. National Security Agency-certified Type 1 devices are acceptable for unclassified data when operating in secure mode; however, the document notes that this equipment is not preferred. Justification also must be provided for the use of some Type 1 WLAN devices that use proprietary technologies and are not interoperable with 802.11i systems.

The memorandum is part of a Defense Department effort to help commercial industry understand security requirements and to implement the security component, explains Khalid Syed, senior associate and senior wireless system engineer, Booz Allen Hamilton Incorporated, Tysons Corner, Virginia. For this new policy to work effectively, it was important for the IEEE 802.11 working group to be in alignment with NIST guidelines. It also was necessary to engage the WPA2 working subgroup responsible for certifying wireless products’ security features to meet Defense Department requirements. The last and most important part of the effort was to ensure that these working groups and various agencies were all synchronized, he says.

Booz Allen Hamilton coordinates these activities for the Defense Department through its commercial wireless working group meetings. These groups consist of individuals from industry and from different department agencies that help facilitate and articulate requirements to industry. Syed notes that industry officials agreed with the Defense Department’s security needs with only minor considerations. He adds that making these key changes in security policy was critical for private industry because firms traditionally build niche products for the government that require high research and development costs followed by a certification process. The Defense Department then would pay a premium for these products.

The commercial wireless working group approached the new initiative from an opportunistic perspective, Syed says. Booz Allen Hamilton and the Defense Department helped modify the 802.11i standard while it was still being ratified and refined. He maintains that the changes were minimal, but they aligned the security algorithms in accordance with AES guidance under FIPS 140-2. “Industry must develop a single product, no matter who they’re selling it to, as opposed to developing a niche product for the federal government. In order to sell that product to the government, they have to go through an NIAP evaluation to get their FIPS certification,” Syed explains.

Synchronizing the 802.11i standard with Defense Department security requirements was a key achievement because now anyone in the federal government can buy products off the shelf that have the FIPS validation. Syed adds that this allows government purchasers to buy equipment at a significant cost savings over specialized niche products that address security with proprietary technologies.

Another key requirement for the policy was to leverage standard technologies from an interoperability standpoint. The department has put a premium on maximizing reusability and interoperability across all of the services, Syed notes. “Traditionally, the Army, Air Force and Navy would implement wireless LAN solutions that would have proprietary security elements and that by default were not interoperable. The idea to move to a standard base like 802.11i that ensures the security requirements are in alignment with federal law was a major accomplishment,” he says.

Web Resources
Office of the Assistant Secretary of Defense for Networks and Information Integration: www.dod.mil/nii
Booz Allen Hamilton Incorporated: www.boozallen.com