Protecting Laptops In the Wild

July 2005
By Maryann Lawlor
E-mail About the Author

Senior Airman Aaron Karwoski, USAF, security forces team member supporting operations in Afghanistan, monitors security for Air Mobility Command assets from his laptop inside a command post tent. Laptop computers are a staple in current operations, but when they operate wirelessly, data becomes another asset that must be secured.
When it comes to wireless connectivity, danger is in the air.

The U.S. Army is leading the charge in securing the new networking frontier: wireless communications. Recognizing the benefits and vulnerabilities of staying connected without being tied to wires, the Army’s leadership has developed a policy that highlights security and that has become the model for all the services as well as for the U.S. Defense Department. Industry offers critical components to help the Army and others comply with these policies by designing solutions and sharing best business practices.

Developing a wireless policy for the Army was not a one-step process. The service issued its first guidelines that permitted the deployment of wireless technologies in April 2002. However, in November 2003, Army Regulation 25-2 (AR 25-2), the overarching policy for information assurance, essentially rescinded all previous wireless policies because of security requirements.

It was at this point that industry stepped in to help the Army comprehensively address its security concerns so wireless technologies could be deployed. The Army’s Network Enterprise Technology Command/9th Army Signal Command (NETCOM), Fort Huachuca, Arizona, worked with iGov, a McLean, Virginia-based systems integrator to develop the policy. Michael Wanklyn, a contractor at NETCOM’s information assurance directorate (IAD) employed by Sytex Incorporated at the time, was the Army’s only wireless technologies point of contact. Tapping into resources the commercial sector offers, including best business practices, helped in developing the policy, he says. Today, Wanklyn is senior principal and security engineer at Computer Sciences Corporation, Chantilly, Virginia.

“The best-business-practices piece was an extension of the AR 25-2 so we could tell people that they could use wireless, but they would have to meet certain requirements before standing up wireless. I’m trying to educate people that when you’re on a wired topology, the safeguards work pretty well. But when you send your packets wirelessly, you have to relook at them because there are layers of the OSI [open system interconnection] model that have to be addressed. One of the biggest threats in the wireless area is layer 2,” Wanklyn explains.

Brad Mack, vice president at iGov and an expert on wireless technology, illustrates this fact with a true story about a senior defense official who used his laptop at the Dallas-FortWorthAirport in Texas before the policy was established. The entire airport is a hot spot. “He’s got plenty of time to catch his flight. He’s in the departure lounge, and he fires up his laptop. So, for the first four or five minutes that laptop is broadcasting, trying to connect to everything in the place. Well, a pair of attackers was in the immediate vicinity. He gets connected to the Internet after he’s launched his credit card to T-Mobile out in the open. Then he went to a couple commercial Web sites then decided he’d go back to his local organization and pull up Outlook Web Access and check his calendar. Those credentials went out in the clear because there was no VPN [virtual private network] tunnel created. Then he decided he’d check Army Knowledge Online. Those credentials went out in the clear. Then he went out and did some banking. That went out in the clear,” Mack explains. After this incident came to light, Lt. Gen. Steven W. Boutelle, USA, Army chief information officer/G-6, tasked the IAD to come up with a way to fix this problem immediately, he adds.

Mack emphasizes that the need to secure wireless devices operating in public areas is critical. “On any given day, the Army has between 20,000 and 40,000 mobile workers. Unless you do something to defend these laptops, it’s a disaster waiting to happen in my opinion,” he says.

In late June 2004, the Army issued its wireless security standards policy, which centers on four principles: strong layer 2 encryption, mutual authentication, intrusion prevention and end-point policy enforcement. Although security is important for everyone using wireless devices, Mack points out that the nature of the Army’s mission requires it to pay particular attention to two of these areas. “First, you’ve got to protect the datalink layer because you’ve got to remember there are two types of hackers—two completely different sports if you will. Spies and thieves don’t want to disrupt your communication. They don’t want you to know they’re there; they want to steal your data so they don’t want to take the link down. On the other hand, you’ve got hackers with malicious intent, vandals. They want to disrupt your ability to transport your information. They’re going to attack you at layer 2, and that’s where address resolution protocol resides, and that’s not protected by anything other than a layer 2 encryption system,” he relates. The Army has identified two authorized products that will be deployed to address this issue.

“The second requirement specific to the Army’s policy is a combative intrusion detection system, which is in my opinion an intrusion prevention system. An intrusion detection system in a wireless network is worthless. I don’t want to be notified that something occurred after it occurred. You must have the ability to suppress rogue or unsanctioned activity in the air space. The minute you spot it, shut it down. You wouldn’t deploy it at home, but the Army requires it. Those are the two most important unique aspects that the policy addresses in the Army that most other government agencies haven’t even thought about yet,” Mack says. The policy also states that every network in the Army must be accredited by a higher headquarters and must receive third-party validation before it can be extended wirelessly.

Wanklyn relates that developing the Army’s policy required him and the iGov team to address two specific networks: strategic and tactical. “Strategic networks are running at classification levels that are sensitive but unclassified, usually. Those can be secured with a variety of cryptography approved by the NSA [National Security Agency]. But when it comes to tactical, there is only one cryptography solution that is allowable for secret and above and that’s type 1 encryption. The NSA will not approve anything unless it is type 1 encryption for the tactical environment unless there’s a waiver and extenuating circumstances. But those waivers are few and far between. So everything we did for tactical, we worked hard to get type 1 approved. Unfortunately, it’s not fast enough for the warfighter. So the NSA re-examined one of the cryptography pieces, the AES [advanced encryption standard]. AES cryptography is approved now at 256 bit for secret and above. That opened the door for strategic wireless communications to be used in the field and that allowed iGov and the other vendors that had that type of encryption to go ahead in the tactical space at least for right now. It still requires a waiver from the information assurance directorate. It’s a complex way of doing business, but the groundwork that was laid was done for a reason: Layer 2 is so problematic that if we don’t encrypt the data flow in the link layer, then all we’re doing is transmitting our data in the open,” he explains.

Although the Army spearheaded the military’s wireless policy effort, Jeff Oliveto, senior manager of engineering at iGov and an expert in wireless technology, notes that it was used as a model for the other services as well as for the Pentagon and Defense Department when they developed their policy statements. He contends that other federal agencies should view the policy as a model even though their missions differ from the military’s.

The Army tests throughput and performance of an fSona free space optics laser relay using Federal Information Processing Standard (FIPS) 140-2/layer 2 encryption to ensure information security at gigabit transmission speeds.
“There’s been a lot of fear about wireless networking, so many government organizations, agencies, departments and bureaus have just said they don’t want to do wireless networking. Their policy is a no wireless policy. That’s their way of handling it,” Oliveto adds. He points out that civilian agencies are relying on the National Institute of Standards and Technology, which is using the Federal Information Security Act of 2002 to develop a wireless security policy. “NIST is working with all the different agencies. It’s deploying a policy, and it’s getting consensus. The Army, on the other hand, said, ‘Here’s the policy. Use it,’” he notes.

The process of establishing a wireless policy for an organization can be frustrated by a number of issues that are incessant and not likely to go away soon, Oliveto relates. One is manufacturer propaganda. Many companies claim their technology provides a total security solution. “But the reality is that no single vendor can do everything. So the challenge is to find the right mix of vendors to provide you with secure wireless solutions,” he says.

Oscar Fuster, vice president of consulting services for iGov, shares that another challenge is the fast pace of technology change. “It’s very similar to the wired security problem. We have new technologies and new applications constantly being introduced. Take voice over Internet protocol, for instance. We have a wireless policy; we have voice over Internet protocol; now we have wireless voice over Internet protocol, and maybe industry is just catching up to the problem. So we’re trying to implement new solutions to solve problems because, as people start adopting these technologies, new problems arise or new combinations of issues crop up. And that’s a very difficult problem to resolve,” he says.

Oliveto agrees. “The key is that the standards are changing. The core protocols are pretty firm. They haven’t changed much. But wireless is still very much in flux, and we need groups that go out and conduct vendor certifications so we can have interoperability. You have to pick your vendors and technology wisely or you’re going to be doing wholesale upgrades or you’re going to be vulnerable,” he states.

This constant flux requires more than just a one-time review of the network and a stagnant policy, he adds. When organizations install wireless capabilities, they often assume that core security policies are in place. At times, this is not the case and even when it is, the policies and technologies may not be compatible with the more up-to-date standards for wireless. As a result, organizations must first examine their wired infrastructure closely to determine if the security policy and software must be updated, and then they must look at their infrastructure from the wireless standpoint, Oliveto states.

Threats in the wireless environment generally mirror those in the wired environment with a few additions. Mack points out that radio frequency jamming is unique to the wireless world. “It’s one thing to set up a 2.4-gigahertz 802.11b network that’s fully secure. A well-funded adversary sitting out in the parking lot with enough horsepower and wattage can shut that network down. And it doesn’t matter how much security you have, so you have to also look at that,” he notes.

The advantages the very nature of mobile computing offer also can expose organizations’ wired networks to risks. Oliveto explains that a couple of scenarios come quickly to mind. “Within my campus, the area where I have some level of control, yes, there are issues of denial of service and eavesdropping. But what about the people who plug their laptops into networks at hotels? If you’ve ever looked at a hot spot, particularly high-traffic areas like airports, you’re going to see constant probes and connections and viruses. So what’s your risk? Where you have a level of control, it’s certainly going to be an adversary with a specific target. But once you take the laptops outside the campus—and everybody’s going mobile now—that’s where your vulnerabilities are, and you need to address all of those,” he states.

Fuster puts the enormity of the wireless security challenge in perspective. “Think about the wired network and what security engineers have tried to do for a number of years: block the perimeter because they trust everybody inside. With wireless, all of a sudden everybody becomes an insider. What’s the issue that security engineers really ought to confront now? Assume everybody’s an insider. How do we, in a granular way, really protect every bit of information? The more valuable the information, the more protection that’s required,” he states.

With the services’ wireless policies now developed, Wanklyn has moved on to a new wireless project. He is working on a way to meet the military’s next wireless challenge—secure wireless communications on the go. One solution he is helping to develop with the Army and the Defense Advanced Research Projects Agency uses the radio energy from a jamming attempt to strengthen the wireless connection. The goal is to deliver a working prototype to the Army by the end of this month.


Web Resources
Network Enterprise Technology Command/9th Army Signal Command:
U.S. Army Office of the Chief Information Officer/G-6: