U.S. Government Certified Wireless Security Products? 132
superid asks: "Our facility is just beginning to install small wireless 802.11b networks to support our office developers and staff. I think most people end up happy with wireless and enjoy the freedom. Our little branch office has about 100 people and our whole facility has close to 3000 people, so it's reasonable to expect our wireless needs to grow. However, I have just received an email, sent to all network administrators of our facility, directing us to shut down all wireless devices until they are certified by our Information Security department. Of course I'm not surprised by this. I'm aware of the problems with WEP and tools like airsnort. I know there are numerous security products and projects, but can any of them trace a lineage back to FIPS? Wouldn't it be a major victory to see an OSS product listed as validated by NIST?"
"Here are the certification requirements:
I know there are uncertified software solutions, but for ease of integration, our office has chosen AirFortress for a hardware solution. This will run us about $2,500 for our small office and is quite reasonable. However, it would be nice if there was an Open Source solution as well. The difference is that any OSS solution must be 'certified'."Encryption must be implemented end-to-end over an assured channel and shall meet the FIPS 140-1 or 140-2, Overall Level 2 (Triple-DES or AES) standard, at a minimum.
to state the obvious (Score:1, Insightful)
WEP is useless anyway (Score:3, Insightful)
I'm *far* more interested in robust access-control rather than someone peeping in to my packets...
Re:Why government certified? (Score:4, Insightful)
Simple. The government has several large groups of people paid very well to be professionally paranoid, and to whom cost isn't a real concern - only the actual validity of the security.
Therefore, if THEY say that it's secure, you've got a pretty good chance of it being good enough. Much better than trusting that Vendor XYZ's pretty shiny brochure says "secure!" five times, and no negative reviews show up online.
Trust the experts. In this case, many of the experts happen to work for the government. If they worked in the private sector (and some do, but not most, and they're almost all biased), I'd look to them to certify things.
It's always gonna cost you... (Score:2, Insightful)
Anythin gyou put over the airwaves is gonna get hacked sooner or later, because you've just eliminated the ONE thing that makes hacking the hardest: ACCESS.
Getting access to the data is always the most difficult step, hence Social Engineering, breaking and entering, etc. Putting all your stuff on the air so anybody can drive be in a car, or set up a nice antenna across the street now lets them suck down all your data and take all the time they want to crack it.
So if you want really good security on those airwaves, well you're going to need something that wasn't put together by a bunch of geeks working on their lunchbreaks. (At least right now, in the future as security because more developed this might change). You're going to need something that a reputable company puts out and will back up with patches and changes and won't put in backdoors because they're too worried about lawsuits. Someone with an excellent track record, and who will personally answer your security questions.
You just don't get those kinds of things or assurances with today's level of Open Source Developers. Besides, if you're not willing to fork out some major cash to secure your data in a highly insecure environment, then maybe you shouldn't go there!
Re:Why government certified? (Score:3, Insightful)
Use VPN, forget WEP. (Score:5, Insightful)
Move all of your access points to a network that is outside the firewall. Treat the wireless network as if it is completely untrusted. Enable DHCP on the untrusted network, but do not route the network to anywhere except to the VPN concentrator.
Place a VPN Concentrator on the wireless network and give VPN clients to all of your wireless users. No VPN = NO ACCESS. Problem solved.
All of your company's encryption requirements can be handled by the VPN concentrator, which I'm sure you can get certification for.
Re:Why government certified? (Score:3, Insightful)
I tend to dislike government involvement at least as much as the next guy (which is sort of ironic, considering what I do [lockheedmartin.com]) but this seems fairly reasonable. One thing that governments have done for a long time [hants.gov.uk] is establish standards (especially units of measure) and test whether products live up to their claims vis a vis those standards. I don't think it's that big a jump from certifying that a "pound" of flour really weighs a standard pound to certifying that a wireless networking hub offers the security it claims to.
Re:Why government certified? (Score:5, Insightful)
The private sector has a really poor track record of developing independent standards by which products can be compared. One of the main purposes of a business is to develop competitive advantage over its rivals, this is counter to the notion of having universal standards against which your products are measured.
This is (IMHO) a great example of where the government can provide a useful service to citizens that the private sector is unlikely to generate. A standard certification means that I can compare and contrast products from different manufacturers. I don't have to takes Manufactuer X's claim of "superior security protocols" at face value, I can see whether it meets certain well-defined criteria.
Its this kind of oversight that ensures that something like a true free market can operate. A true free market requires consumers to have excellent/perfect information with which to compare products. Private enterprise is incented to stifle the flow of such information - see recent attempts by companies to use copyright law prevent the publication of independent reviews of their products. We need a government - which ideally is free from commercial biases - to provide enough regulation and guidance to enable a true free market to operate.
Why don't we fight for LESS government and LESS government intervention...
If you don't believe there are lots of people doing exactly this you are very much misinformed. If you believe we should all fight for such things you don't understand people and you don't understand democracy.
Re:Why government certified? (Score:3, Insightful)
This isn't about bigger government or any other conspiracy where in order to buy new hardware it has to have passed government inspectors. Relax, you won't be seeing a purple USDA stamp of approval on your NIC any time soon, unless it is made out of beef. Mmmmmm... 802.11beef, its what's for dinner.
Secure Wireless Networks (Score:2, Insightful)
Re:Why government certified? (Score:3, Insightful)
Because they are one of the key parties able to give an endorsement to a product. The microcomputer market exploded when IBM entered and provided it with the necessary endorsement, before IBM entered the fray micros were considered by many IT managers to be toys. The Web took off outside the computer industry after the Whitehouse went on line, before that no F500 company that was not in the computer or communications business would give us time of day.
The issue here is that the WEP-I standard was baddly bodged. So there is going to have to be an endorsement by an opinion leader before people feel safe to use the improved WEP-II.
The idea that NIST could provide that endorsement is not a bad one, clearly none of the industry players can do it at the moment. This is despite the fact that the 802.11 security group was acting on the problems before they were brought to public attention in the Berkely paper.
The standard that is being generally adopted is 802.1X, which is a general authentication mechanism for port level access that was originally developed for ethernet. Microsoft deployed a profile of this in the Windows XP support for WEP. There may be some divergence between this and the eventual standard since Windows XP only a short time after the WEP flaws were publicised.
WEPII does not provide perfect security, there remain features of the design which have the property that although nobody knows an exploit are still rather unsatisfactory. The biggest of these being that they still use RC4 where I would much prefer AES. However, the processors on the current 802 cards don't have the power to support AES and the liability is not great enough to justify throwing away all the existing cards.
On the OSS front, the best thing to do in this instance would be to follow Microsoft's approach and use a compatible profile of 802.1X. For the code to be any use to people it is going to have to work with the 802 hardware sold by the major vendors.
The big problem at the moment is that the access point hardware with support for the more advanced authentication mechanisms tends to be sold as $1500 enterprise solutions rather than $150 SOHO boxes, grrrr.
What I would really like is for someone to develop a cheap ($150) firewall router type box that supports Linux (or BSD) and PCMCIA to plug in an access card.