U.S. Government Certified Wireless Security Products? 132
superid asks: "Our facility is just beginning to install small wireless 802.11b networks to support our office developers and staff. I think most people end up happy with wireless and enjoy the freedom. Our little branch office has about 100 people and our whole facility has close to 3000 people, so it's reasonable to expect our wireless needs to grow. However, I have just received an email, sent to all network administrators of our facility, directing us to shut down all wireless devices until they are certified by our Information Security department. Of course I'm not surprised by this. I'm aware of the problems with WEP and tools like airsnort. I know there are numerous security products and projects, but can any of them trace a lineage back to FIPS? Wouldn't it be a major victory to see an OSS product listed as validated by NIST?"
"Here are the certification requirements:
I know there are uncertified software solutions, but for ease of integration, our office has chosen AirFortress for a hardware solution. This will run us about $2,500 for our small office and is quite reasonable. However, it would be nice if there was an Open Source solution as well. The difference is that any OSS solution must be 'certified'."Encryption must be implemented end-to-end over an assured channel and shall meet the FIPS 140-1 or 140-2, Overall Level 2 (Triple-DES or AES) standard, at a minimum.
to state the obvious (Score:1, Insightful)
Re:to state the obvious (Score:1)
We don't *know* that a government certification actually makes something secure in fact the opposite might be true - government certification makes it *less* secure.
The problem is often that any certification is deemed to be better than none and governments (civil servants) generally like things to fit into boxes they can tick
Re:to state the obvious (Score:1)
Re:to state the obvious (Score:1)
The Computer Security Division of NIST spends a lot of time researching what works and what doesn't. They (NIST) are a centralized body given the power (responsibility?) to design good standards and publish them for the US to use. And that is how you know that something is secure.
Re:to state the obvious (Score:1)
Parent of this modded as 0? Excuse me but the guy is so right that his comment deserved a 3+. Government certification AFAIK doesn't guarantee your privacy in any way.
Come on, think a little... When it comes to security *of network communications*, any agency, whether it be private funded or State funded, cannot be trusted, EXCEPT if they prove MATHEMATICALLY that what you transmit cannot be deciphered, if at all, at least for a very long period of time. The good thing with maths is that demonstrations can be trusted. No such thing can be said from any other science.
I've yet to see any "certification agency" giving mathemaitcal proof that what it "certifies" is secure at all. RSA has lived long enough because it has been proven MATHEMATICALLY that breaking it would require YEARS of computer crunching to break at the highest levels (who uses <=1024bit RSA keys today?).
Of course, maths are still (always, for that matter) a work in progress, and what is true with RSA today may not be true anymore tomorrow (Bernstein's hypothetical prime-number-breaking machine has not been implemented yet AFAIK, and even if it were... well, let's just wait and see).
Encrypted VPNs are certainly a good choice, apart from any certification wahwah. But then be sure to choose an encryption scheme which is MATHEMATICALLY PROVEN to be strong enough for your needs. And if part of your scheme is based on public cryptography, ensure that private keys never travel "through the air", but that's pretty obvious.
Re:to state the obvious (Score:1)
Re:Got your wireless right here (Score:1)
Why government certified? (Score:3, Interesting)
Many Slashdot readers are "liberal" or "left-leaning" and are opposed to the War on Drugs and drug laws in general. If you don't like the government telling you what you can and cannot put in your body, why are you so eager to have the government tell you what it thinks the best and worst products are? Let the private sector handle this.
Re:Why government certified? (Score:4, Informative)
Because it's perceived as good.
Because if you want to get a government contract you better meat government standards.
Because the government is supposed to have what is best for the people in mind.
Because private corporations have what is best for them in mind and really want you to pay for their product and not their competitors.
Re:Why government certified? (Score:1)
s/meat/meet/
Re:Why government certified? (Score:1)
...maybe that was just me though.
Re:Why government certified? (Score:4, Insightful)
Simple. The government has several large groups of people paid very well to be professionally paranoid, and to whom cost isn't a real concern - only the actual validity of the security.
Therefore, if THEY say that it's secure, you've got a pretty good chance of it being good enough. Much better than trusting that Vendor XYZ's pretty shiny brochure says "secure!" five times, and no negative reviews show up online.
Trust the experts. In this case, many of the experts happen to work for the government. If they worked in the private sector (and some do, but not most, and they're almost all biased), I'd look to them to certify things.
Re:Why government certified? (Score:2)
Re:Why government certified? (Score:3, Insightful)
Re:Why government certified? (Score:1)
Why can't we merely rely on the private sector to develop sound products? Why don't we fight for LESS government and LESS government intervention? How much control over your daily lives do you want the government to have?
Becuase alot of companies are too busy trying to be first to market and not really interested making secure bullet-proof products. This persons company is obviously trying to make WEP solutions safe in thier building and see FIPS certification as the most reliable means of ensuring that securtiy. I only wish M$ software had to undergo these sort of goverment tests!
The advantage with having the government certify your transport protocols is that you have _one_ central organization that has _one_ standard and not a mess of differing ways of transfering data just to get around patents and proprietary closed means.
Why the W3C or any other standards organization? Becuase open sensible standards make sence and benifit everyone who participates.
Liberal philosophy (Score:1)
Re:Why government certified? (Score:3, Insightful)
I tend to dislike government involvement at least as much as the next guy (which is sort of ironic, considering what I do [lockheedmartin.com]) but this seems fairly reasonable. One thing that governments have done for a long time [hants.gov.uk] is establish standards (especially units of measure) and test whether products live up to their claims vis a vis those standards. I don't think it's that big a jump from certifying that a "pound" of flour really weighs a standard pound to certifying that a wireless networking hub offers the security it claims to.
Re:Why government certified? (Score:5, Insightful)
The private sector has a really poor track record of developing independent standards by which products can be compared. One of the main purposes of a business is to develop competitive advantage over its rivals, this is counter to the notion of having universal standards against which your products are measured.
This is (IMHO) a great example of where the government can provide a useful service to citizens that the private sector is unlikely to generate. A standard certification means that I can compare and contrast products from different manufacturers. I don't have to takes Manufactuer X's claim of "superior security protocols" at face value, I can see whether it meets certain well-defined criteria.
Its this kind of oversight that ensures that something like a true free market can operate. A true free market requires consumers to have excellent/perfect information with which to compare products. Private enterprise is incented to stifle the flow of such information - see recent attempts by companies to use copyright law prevent the publication of independent reviews of their products. We need a government - which ideally is free from commercial biases - to provide enough regulation and guidance to enable a true free market to operate.
Why don't we fight for LESS government and LESS government intervention...
If you don't believe there are lots of people doing exactly this you are very much misinformed. If you believe we should all fight for such things you don't understand people and you don't understand democracy.
Re:Why government certified? (Score:2)
Re:Why government certified? (Score:5, Funny)
Many Slashdot readers are "liberal" or "left-leaning" and are opposed to the War on Drugs and drug laws in general. If you don't like the government telling you what you can and cannot put in your body, why are you so eager to have the government tell you what it thinks the best and worst products are? Let the private sector handle this.
An excellent point, my "conservative" or "right-leaning" friend!
I, for one, trust the private sector to make important standards decisions [microsoft.com] in a just and unbiased [rambus.com] manner. I know that can count on private enterprise to interact with the public an an open and honest [enron.com] fashion, and think that your average board of directors [worldcom.com] has a much better handle on what's going on with their company [xerox.com] than some hare-brained committee of bureaucrats has over some bloated, complex government scheme.
Besides, I don't want such important things left up to some government agency that could disappear from the face of the planet in an instant [fuckedcompany.com]--no, thank you, I'll take private enterprise any day. They're really looking out for what's best for me [riaa.com].
Re:Why government certified? (Score:2)
Re:Why government certified? (Score:1)
All in good fun,
AAiP
Re:Why government certified? (Score:3, Insightful)
This isn't about bigger government or any other conspiracy where in order to buy new hardware it has to have passed government inspectors. Relax, you won't be seeing a purple USDA stamp of approval on your NIC any time soon, unless it is made out of beef. Mmmmmm... 802.11beef, its what's for dinner.
Re:Why government certified? (Score:1)
Government standards (Score:2)
By the way, T-Ranger, my Canadian confrere, most of the Yanks on
Interrobang, tech writer in OSH&E
Re:Government standards (Score:1)
I pondered the spelling of OSHA. Im almost positive that in NS its the Occupational Health and Safety Act. I also could have sworn that my WHMIS traners told me that it was Americian as well.. The important part: MSDS' (material safety data sheets) are international anyway.
One crazy summer I was a tech for a geotechnical company. Talk about standards. CSA concrete methods. Municapality conc standards. Provincial conc standards. ASTM methods for some lab tests. Some from LA. Some from the US Corps of Engineres. And all the time European road builders laughing at us and the crap we put up with.
Re:Why government certified? (Score:3, Insightful)
Because they are one of the key parties able to give an endorsement to a product. The microcomputer market exploded when IBM entered and provided it with the necessary endorsement, before IBM entered the fray micros were considered by many IT managers to be toys. The Web took off outside the computer industry after the Whitehouse went on line, before that no F500 company that was not in the computer or communications business would give us time of day.
The issue here is that the WEP-I standard was baddly bodged. So there is going to have to be an endorsement by an opinion leader before people feel safe to use the improved WEP-II.
The idea that NIST could provide that endorsement is not a bad one, clearly none of the industry players can do it at the moment. This is despite the fact that the 802.11 security group was acting on the problems before they were brought to public attention in the Berkely paper.
The standard that is being generally adopted is 802.1X, which is a general authentication mechanism for port level access that was originally developed for ethernet. Microsoft deployed a profile of this in the Windows XP support for WEP. There may be some divergence between this and the eventual standard since Windows XP only a short time after the WEP flaws were publicised.
WEPII does not provide perfect security, there remain features of the design which have the property that although nobody knows an exploit are still rather unsatisfactory. The biggest of these being that they still use RC4 where I would much prefer AES. However, the processors on the current 802 cards don't have the power to support AES and the liability is not great enough to justify throwing away all the existing cards.
On the OSS front, the best thing to do in this instance would be to follow Microsoft's approach and use a compatible profile of 802.1X. For the code to be any use to people it is going to have to work with the 802 hardware sold by the major vendors.
The big problem at the moment is that the access point hardware with support for the more advanced authentication mechanisms tends to be sold as $1500 enterprise solutions rather than $150 SOHO boxes, grrrr.
What I would really like is for someone to develop a cheap ($150) firewall router type box that supports Linux (or BSD) and PCMCIA to plug in an access card.
Re:Why government certified? (Score:2)
Just because you don't trust the government doesn't mean we should trust the private sector.
That's all I'm saying.
Arthur Andersen [washingtonpost.com]
Enron [washingtonpost.com]
IM Clone [washingtonpost.com]
Worldcom [washingtonpost.com]
Xerox [washingtonpost.com]
And just because this is Slashdot:
MS Windows [windows.com]
Re:Why government certified? (Score:2)
in private industry, if you get hacked, you go out of business. in government, if you get cracked, the chinease find out about that sub you have off their coast. The stakes are much higher.
many gov crypto certs assign a measureable level of trust to a system, so you know what to expect, and are not bitten by impementation or design flaws.
WEP is useless anyway (Score:3, Insightful)
I'm *far* more interested in robust access-control rather than someone peeping in to my packets...
Re:WEP is useless anyway (Score:2)
Incorrect. This allows for traffic analysis and other wonderful thingies.
Or, at least, insufficient. It should be enrypted at the app level, then encrypted AGAIN at the transport level.Re:WEP is useless anyway (Score:2)
Re:WEP is useless anyway (ssh timing attack) (Score:2)
The researchers estimated about a 50x work factor reduction for cracking the password.
Then came the audience question which was a trademark of the conference, "Were you aware that $1 reported that already in $2 at $3?"
Re:WEP is useless anyway (Score:1)
a) Impractical- and all it gives you is the *length* of the password.
Which for all intents and purposes is almost worthless.
b) Not stopped by WEP- the fact that the packets are encrypted doesn't stop you from seeing the timing between them.
I personally have my shit set up like the other guy says- with the wireless net completely untrusted- and using a VPN to come in.
But for some architectures, that's just not practical- which is why I'd like to see much stiffer access controls.
Re:WEP is useless anyway (Score:3, Interesting)
In this case, I'm talking traffic usage patterns.
Lets say you have AppX, which is used to decode, say, Albanian diplomatic encryption schemes. It's traffic is very very distinctive, over the network. Encrypted to hell and back, but very very distinctive.
So, Albania wants to find out if it's ciphers are cracked. So it puts out a red herring, then listens to the network traffic radiating from the NSA building. Sure, it's encrypted, but who cares? They can tell.
This sounds stupid, and contrived, but remember, during the Cold War, the Russians would watch the pizza restaurants local to places of interest. If a bunch of pizzas are delivered to a certain door of the Pentagon at 10 at night, you know something's up.
Similarly, American diplomats in Russia were, and probably still are, told to do wierd things. Why? To mask the signals and dead drops and stuff being done by actual American intelligence officers.
Re:WEP is useless anyway (Score:1)
I totally agree- my original point being that WEP is useless.
And here- WEP also does nothing to obscure network traffic.
What? (Score:2, Funny)
Re:What? (Score:1)
Re:What? (Score:1)
They don't do the work better, they're just a little less kind in their critisism. One of the big holes in Open Source / Free software is a nearly complete lack of proper Quality Assurance practices.
Finidng a public body willing to test your work for you is a coders wet dream, finding one that will grant you an air of reliability, all the better.
-GiH
My dog ran away with my wife, but it's okay, I have coffee.
Re:What? (Score:1)
Kinda like rating car crashworthiness. They don't develop the airbags and bumpers. They just run a car into a brick wall, see how it affects the passengers, and publish the results.
Re:What? (Score:1)
s/passengers/crash test dummies/
Why use JetFortress? (Score:1, Informative)
It's always gonna cost you... (Score:2, Insightful)
Anythin gyou put over the airwaves is gonna get hacked sooner or later, because you've just eliminated the ONE thing that makes hacking the hardest: ACCESS.
Getting access to the data is always the most difficult step, hence Social Engineering, breaking and entering, etc. Putting all your stuff on the air so anybody can drive be in a car, or set up a nice antenna across the street now lets them suck down all your data and take all the time they want to crack it.
So if you want really good security on those airwaves, well you're going to need something that wasn't put together by a bunch of geeks working on their lunchbreaks. (At least right now, in the future as security because more developed this might change). You're going to need something that a reputable company puts out and will back up with patches and changes and won't put in backdoors because they're too worried about lawsuits. Someone with an excellent track record, and who will personally answer your security questions.
You just don't get those kinds of things or assurances with today's level of Open Source Developers. Besides, if you're not willing to fork out some major cash to secure your data in a highly insecure environment, then maybe you shouldn't go there!
Re:It's always gonna cost you... (Score:1)
OSI won't work... (Score:4, Funny)
[[[rimshot]]]
Use VPN, forget WEP. (Score:5, Insightful)
Move all of your access points to a network that is outside the firewall. Treat the wireless network as if it is completely untrusted. Enable DHCP on the untrusted network, but do not route the network to anywhere except to the VPN concentrator.
Place a VPN Concentrator on the wireless network and give VPN clients to all of your wireless users. No VPN = NO ACCESS. Problem solved.
All of your company's encryption requirements can be handled by the VPN concentrator, which I'm sure you can get certification for.
Re:Use VPN and host-based firewall (Score:1)
Without doing this, all of your mobile clients become a very weak link in your network's security: a rogue wiresless node could hack into your laptop running IIS (over the wireless link) then plant a trojan (or just turn on routing) that gives them access to the inside of the firewall through your VPN tunnel.
Microsoft's little fiasco a while back with crackers having access to their source code was essentially this type of attack. Note that in that case it was not a wireless network that was to blame, rather it was a broadband remote user that had a compromised machine.
Re:Use VPN and host-based firewall (Score:2)
Once the VPN is established, all traffic is routed through the VPN and all inbound traffic is thrown away.
This creates a minor inconvience to users who want to print to local devices on the 802.11 lan, but you just move those inside the corporate network.
Re:Use VPN, forget WEP. (Score:1)
The problem is with multi-AP deployments. If you have multiple WLAN Access Points, then running VPN typically means you are tunneling all that users traffic over your LAN back to the VPN concentrator - and then it needs to route their packets to where they are actually going. You end up a bit S.L.O.W...
Of course, this can be solved by installing VPN concentrators next to the WLAN APs - but that gets expensive...
EAP is supposed to sort this out. Authenticated access plus encryption keys that change every 'n' minutes.
Re:Use VPN, forget WEP. (Score:2)
The only problem I foresee is having to purchase a larger VPN concentrator (you could always use open source IPSec) or having to purchase more Access points, which you'd have to do anyway once you reach the 10 or 50 user limit that most APs have.
As far as speed, today's computers and VPN concentrators are fast enough to handle the encryption overhead, as well as the routing. Complaining that the routers have to "route the packets where they're actually going", is an empty argument. This is what they were made to do, and the additional hop added by going through the concentrator creates a neglible performance impact.
You also DO NOT have to install the VPN concentrator next to the APs; use the network you build to bring the wireless VLAN into the switches on the individual floors.
Trunk your floors together (like most companies do) with fiber and put a VPN single concentrator in the server room. Use the concentrator to gateway this dirty VLAN into the corporate network. (I'm leaving out the discussion of VLAN security -- I know someone will gripe that VLANs are not a secure division of services and I leave that solution as an exercise to the reader.)
Re:Use VPN, forget WEP. (Score:1)
You want it when? (Score:2)
Why in court? Because at some point, somebody can claim that you failed to exercise "due diligence" for something -- somebody else's proprietary secrets, personal information, or your own insider information. That's why people pay for certification -- they can point to somebody else, whom they paid to tell them it was "good."
Bird on a wire (Score:2, Funny)
This does not address Denial of Service attacks caused by birds attempting to collect bits of the string for nesting material; a preferable solution to both issues would be to run the string inside a conduit with a diameter greater than the maximum amplitude of the carrier waves. Care should be taken to plan ahead and use larger conduits than are currently needed, in order to accomodate future increases in wave size.
Otherwise, everyone will be clamoring for "fatter pipes".
Was that a European swallow or an African swallow? (Score:1)
IPSec (Score:4, Informative)
The best strategy for both data security and access control is to use IPSEC, FreeS/WAN for linux and built in IPSec for Win2k and newer. If you have to use a dedicated WAP appliance, plug it directly into a gateway interface and have the wireless network on its own subnet, probably using a privately addressable subnet, since server applications on Wireless would be stupid most of the time. That gateway only would have udp port 500 and protocol 50, maybe 51 open, and the rest of the traffic coming in plain from the WEP get's dropped immediately. Now you are both forcing users to use secure transport level methods *and* preventing unauthorized use by those who do not have keys on the gateway. I'm not sure what certification it meets, but it is a proven, trusted technology as opposed to the "Wiretap Equivalent Protocol". Of course if the devices are very mobile and likely to be accessible from a public place or stolen, then you need to also have people use application level security to make sure the data is kept secret. At the endstations as well as while in transit.
Wireless Network Visualization Project (Score:1)
Certified Wireless products (Score:1, Interesting)
have not seen/used the product. so i can not speak more about it.
Open source software can't meet this standard... (Score:5, Informative)
Because FIPS 140-1 and 140-2 are standards for hardware cryptography. They are in fact pretty simple and a device with a small embedded processor running open source software can fulfill its requirements easily, by making the device meet certain criteria about tamper resistance and so forth. However, it's the whole device that gets certified, not simply the software inside it.
Note that certification costs quite a lot, like $50K or so. And of course you can't let users tamper with the firmware (i.e. by changing it) and have the device stay certified. It might be ok for the user to take the device apart and change the firmware resulting in an uncertified device, but if certification wasn't needed the user wouldn't have needed to buy the device to begin with.
Re:Open source software can't meet this standard.. (Score:2)
Open source vs. closed source should not make any differece. The key is the cost, everytime to modify it, you have to recertify it! Granted the recertification will cost less than the first time, but it is best to isolate the security sections as much as possible.
See my other post for comments about what certificaiton actually buys you.
FIPS 140-1 (Score:2, Informative)
Basically what happens is, you go talk to one of a number of organizations that NIST has approved to do the validation. Then you pay them a lot of money to go over your code. This generally takes one person full time on your side to answer their question and deal with the paperwork. What they're looking for is how you handle key material, and how you implement and use various cryptographic algorithms. For example, at Netscape we had to make some modifications to our random number generator to match FIPS 186.
Even after your software is validated, you still don't know that it's "secure". All you know is that it conforms to FIPS 140-1. While this can give you some comfort as to the soundness of the design of the software, it doesn't insulate you from bugs that can create vulnerabilities.
Finally, you also have to worry about keeping your validation updated every time you change the code. You need to show that any of the changes you make don't affect the validation in order to preserve it.
802.11b wifi antennas (Score:1)
Secure Wireless Networks (Score:2, Insightful)
Re:Secure Wireless Networks (Score:2)
Re: (Score:2)
Re: (Score:2)
Harris SecNet (Score:2)
www.govcomm.harris.com/secure-comm
They make a PCMCIA card that is due to be tested for NSA Type 1 encryption soon. I saw it in action during source selection review, and it works pretty sweet.
I believe this will meet any encryption standards they could throw at you; it's good enough for the NSA!
Enjoy.
*You* can't use that solution (Score:3, Interesting)
There's really no need for this sort of thing - 3DES or AES are strong enough to keep the NSA and KGB out if you use good keys and don't mishandle them.
Re:*You* can't use that solution (Score:1)
Sorry about the confusion, folks.
AirFortress (Score:1)
The products from Fortress Technologies are actually pretty sweet. We use dozens of the little AF-1100's all over the place with a bunch of Lucent/Agere AP's for bridging and the like. They just recently acquired the FIPS 140-1 certs for their software. I opened one up, voiding the warranty, and checked it out. (they run Linux on an embedded single board computer.) It's much simpler than IPSEC or VPN since it's layer 2. (and since it's layer 2, we're talking whatever protocol you want to run under Win32 and PocketPC.) The company [suprtek.com] I work for sells them for $1895.
Tool for FIPS app level security over wireless net (Score:1)
We've used it to develop applications running on top of 802.11b networks, and aside from being able to address the security case, the transmission protocol does a bang-up job at optimizing data transmission over IP. The SDK is also pretty good.
Government Approved 802.11x Security Solution (Score:2, Informative)
FIPS 140 is not a magic wand! (Score:2)
Lets say that your wireless product uses WEP. There is nothing that would keep you from getting a FIPS 140 certification for that product, even though WEP is a really broken algorithm. All the FIPS 140 cert does is assure people that you really did implement WEP.
Aside from assurance that the product works as designed, the best use of FIPS is for hardware security designs. Unlike logical security, it is fairly easy to specify the requirements and goals you want your hardware security systems to meet. The labs that perform certification also have a lot of experience in ensuring products meet their design goals. So FIPS 140 (IMHO) is an excellent standard for hardware.
Another problem with any certification, including FIPS 140, is the need to recertify anytime you change the certified sections. The way most people do this, is to compartmentalize the security sections (which hopefully rarely change). Never worked for my last job, where we had to change these types of sections several times a year.
So, to directly answer your question, I think asking for a FIP 140 certified product will not buy you much security for your problem. The idea is to solve the security problems as they are installed in your system. The Common Criteria standards will probably work much better for this (but here your organization is responsible for getting the certification, although it helps if your vendors can supply components that are already certified).
Who wants it "certified" ? (Score:2)
I haven't seen anyone actually answer you, so here (Score:3, Informative)
Not only that, they have a price-point about half that of previous Type 1 encryption devices, about 2700 per node as opposed to about 5k per node.
Hope this helps, they have a nice datasheet and brief on the site.
Steven
Re:I haven't seen anyone actually answer you, so h (Score:2)
MAC Address Restrictions? (Score:2)
I had a lot of problems getting WEP to work properly (though I think I could get it working now), so I simply did a MAC address restriction on the AP and, if I understand it properly, nobody should be able to use my AP but a machine with my laptop's MAC address (which is supposedly unique). That doesn't mean the traffic can't be monitored. For this, I don't know, but I'm not real concerned about that.
Wouldn't a combination of WEP and MAC address restrictions be enough for most places, though?
Re:MAC Address Restrictions? (Score:1)
Shared secrets are not secrets (Score:1)
If you tell 3000 people what your WEP key is, you don't have a secret anymore.
When you combine that problem with the logistical mess of giving out keys and the loss of your ability to provide access for visitors, you would be better of putting your wireless network outside your company firewall. Then, use VPN clients to pierce your firewall the same way you would if you were home, in a hotel room, or at an airport.
Firewalker - Open-source, IPSec wireless AP (Score:1)