Protecting Laptops In the Wild
When it comes to wireless connectivity, danger is in the air.
Senior Airman Aaron Karwoski, USAF, security forces team member supporting operations in Afghanistan, monitors security for Air Mobility Command assets from his laptop inside a command post tent. Laptop computers are a staple in current operations, but when they operate wirelessly, data becomes another asset that must be secured.
The U.S. Army is leading the charge in securing the new networking frontier: wireless communications. Recognizing the benefits and vulnerabilities of staying connected without being tied to wires, the Army’s leadership has developed a policy that highlights security and that has become the model for all the services as well as for the U.S. Defense Department. Industry offers critical components to help the Army and others comply with these policies by designing solutions and sharing best business practices.
Developing a wireless policy for the Army was not a one-step process. The service issued its first guidelines that permitted the deployment of wireless technologies in April 2002. However, in November 2003, Army Regulation 25-2 (AR 25-2), the overarching policy for information assurance, essentially rescinded all previous wireless policies because of security requirements.
It was at this point that industry stepped in to help the Army comprehensively address its security concerns so wireless technologies could be deployed. The Army’s Network Enterprise Technology Command/9th Army Signal Command (NETCOM),
“The best-business-practices piece was an extension of the AR 25-2 so we could tell people that they could use wireless, but they would have to meet certain requirements before standing up wireless. I’m trying to educate people that when you’re on a wired topology, the safeguards work pretty well. But when you send your packets wirelessly, you have to relook at them because there are layers of the OSI [open system interconnection] model that have to be addressed. One of the biggest threats in the wireless area is layer 2,” Wanklyn explains.
Brad Mack, vice president at iGov and an expert on wireless technology, illustrates this fact with a true story about a senior defense official who used his laptop at the
Mack emphasizes that the need to secure wireless devices operating in public areas is critical. “On any given day, the Army has between 20,000 and 40,000 mobile workers. Unless you do something to defend these laptops, it’s a disaster waiting to happen in my opinion,” he says.
In late June 2004, the Army issued its wireless security standards policy, which centers on four principles: strong layer 2 encryption, mutual authentication, intrusion prevention and end-point policy enforcement. Although security is important for everyone using wireless devices, Mack points out that the nature of the Army’s mission requires it to pay particular attention to two of these areas. “First, you’ve got to protect the datalink layer because you’ve got to remember there are two types of hackers—two completely different sports if you will. Spies and thieves don’t want to disrupt your communication. They don’t want you to know they’re there; they want to steal your data so they don’t want to take the link down. On the other hand, you’ve got hackers with malicious intent, vandals. They want to disrupt your ability to transport your information. They’re going to attack you at layer 2, and that’s where address resolution protocol resides, and that’s not protected by anything other than a layer 2 encryption system,” he relates. The Army has identified two authorized products that will be deployed to address this issue.
“The second requirement specific to the Army’s policy is a combative intrusion detection system, which is in my opinion an intrusion prevention system. An intrusion detection system in a wireless network is worthless. I don’t want to be notified that something occurred after it occurred. You must have the ability to suppress rogue or unsanctioned activity in the air space. The minute you spot it, shut it down. You wouldn’t deploy it at home, but the Army requires it. Those are the two most important unique aspects that the policy addresses in the Army that most other government agencies haven’t even thought about yet,” Mack says. The policy also states that every network in the Army must be accredited by a higher headquarters and must receive third-party validation before it can be extended wirelessly.
Wanklyn relates that developing the Army’s policy required him and the iGov team to address two specific networks: strategic and tactical. “Strategic networks are running at classification levels that are sensitive but unclassified, usually. Those can be secured with a variety of cryptography approved by the NSA [National Security Agency]. But when it comes to tactical, there is only one cryptography solution that is allowable for secret and above and that’s type 1 encryption. The NSA will not approve anything unless it is type 1 encryption for the tactical environment unless there’s a waiver and extenuating circumstances. But those waivers are few and far between. So everything we did for tactical, we worked hard to get type 1 approved. Unfortunately, it’s not fast enough for the warfighter. So the NSA re-examined one of the cryptography pieces, the AES [advanced encryption standard]. AES cryptography is approved now at 256 bit for secret and above. That opened the door for strategic wireless communications to be used in the field and that allowed iGov and the other vendors that had that type of encryption to go ahead in the tactical space at least for right now. It still requires a waiver from the information assurance directorate. It’s a complex way of doing business, but the groundwork that was laid was done for a reason: Layer 2 is so problematic that if we don’t encrypt the data flow in the link layer, then all we’re doing is transmitting our data in the open,” he explains.
Although the Army spearheaded the military’s wireless policy effort, Jeff Oliveto, senior manager of engineering at iGov and an expert in wireless technology, notes that it was used as a model for the other services as well as for the Pentagon and Defense Department when they developed their policy statements. He contends that other federal agencies should view the policy as a model even though their missions differ from the military’s.
|The Army tests throughput and performance of an fSona free space optics laser relay using Federal Information Processing Standard (FIPS) 140-2/layer 2 encryption to ensure information security at gigabit transmission speeds.|
The process of establishing a wireless policy for an organization can be frustrated by a number of issues that are incessant and not likely to go away soon, Oliveto relates. One is manufacturer propaganda. Many companies claim their technology provides a total security solution. “But the reality is that no single vendor can do everything. So the challenge is to find the right mix of vendors to provide you with secure wireless solutions,” he says.
Oscar Fuster, vice president of consulting services for iGov, shares that another challenge is the fast pace of technology change. “It’s very similar to the wired security problem. We have new technologies and new applications constantly being introduced. Take voice over Internet protocol, for instance. We have a wireless policy; we have voice over Internet protocol; now we have wireless voice over Internet protocol, and maybe industry is just catching up to the problem. So we’re trying to implement new solutions to solve problems because, as people start adopting these technologies, new problems arise or new combinations of issues crop up. And that’s a very difficult problem to resolve,” he says.
Oliveto agrees. “The key is that the standards are changing. The core protocols are pretty firm. They haven’t changed much. But wireless is still very much in flux, and we need groups that go out and conduct vendor certifications so we can have interoperability. You have to pick your vendors and technology wisely or you’re going to be doing wholesale upgrades or you’re going to be vulnerable,” he states.
This constant flux requires more than just a one-time review of the network and a stagnant policy, he adds. When organizations install wireless capabilities, they often assume that core security policies are in place. At times, this is not the case and even when it is, the policies and technologies may not be compatible with the more up-to-date standards for wireless. As a result, organizations must first examine their wired infrastructure closely to determine if the security policy and software must be updated, and then they must look at their infrastructure from the wireless standpoint, Oliveto states.
Threats in the wireless environment generally mirror those in the wired environment with a few additions. Mack points out that radio frequency jamming is unique to the wireless world. “It’s one thing to set up a 2.4-gigahertz 802.11b network that’s fully secure. A well-funded adversary sitting out in the parking lot with enough horsepower and wattage can shut that network down. And it doesn’t matter how much security you have, so you have to also look at that,” he notes.
The advantages the very nature of mobile computing offer also can expose organizations’ wired networks to risks. Oliveto explains that a couple of scenarios come quickly to mind. “Within my campus, the area where I have some level of control, yes, there are issues of denial of service and eavesdropping. But what about the people who plug their laptops into networks at hotels? If you’ve ever looked at a hot spot, particularly high-traffic areas like airports, you’re going to see constant probes and connections and viruses. So what’s your risk? Where you have a level of control, it’s certainly going to be an adversary with a specific target. But once you take the laptops outside the campus—and everybody’s going mobile now—that’s where your vulnerabilities are, and you need to address all of those,” he states.
Fuster puts the enormity of the wireless security challenge in perspective. “Think about the wired network and what security engineers have tried to do for a number of years: block the perimeter because they trust everybody inside. With wireless, all of a sudden everybody becomes an insider. What’s the issue that security engineers really ought to confront now? Assume everybody’s an insider. How do we, in a granular way, really protect every bit of information? The more valuable the information, the more protection that’s required,” he states.
With the services’ wireless policies now developed, Wanklyn has moved on to a new wireless project. He is working on a way to meet the military’s next wireless challenge—secure wireless communications on the go. One solution he is helping to develop with the Army and the Defense Advanced Research Projects Agency uses the radio energy from a jamming attempt to strengthen the wireless connection. The goal is to deliver a working prototype to the Army by the end of this month.