A new fix for wireless woes?
- By Cheryl Gerber
- May 19, 2003
Within months, federal agencies will reap the rewards of the growing wireless local-area network (WLAN) market, as major government contracts begin offering a new class of wireless network gear stamped with much-needed federal certification.
These new devices are called wireless switches, and several companies, including a few start-ups, are poised to begin offering them. The switches are expected to provide a level of security and centralized management previously missing in most WLAN deployments.
For federal information technology shops, WLAN technology will overcome significant security hurdles as the switches, along with some other software-based security solutions, receive Federal Information Processing Standard (FIPS) 140-2 certification.
The mushrooming use of wireless equipment in the past few years exposed a security gap in the Wired Equivalent Privacy (WEP) encryption that is built into 802.11, the industry standard developed by the Institute of Electrical and Electronics Engineers and on which most WLAN products are based.
WEP secures a wireless transmission between its two endpoints. One endpoint is made up of the wireless Network Interface Cards, which are installed on client computers; the other is the access point, which includes the radio transmitter and which plugs into the wired network.
However, WEP leaves data and networks vulnerable to attack. "Your average hacker could break through WEP in only a matter of hours," said Gemma Paulo, senior analyst at In-Stat/MDR in Scottsdale, Ariz.
"There's a big problem with rogue access points, an illegal access point that gets plugged in and exposes the network," said David Callisch, product marketing director at Aruba Wireless Networks Inc., one of several vendors that offer wireless switches.
Aruba's switch sits in line between the access point and the wired network. Responsible for controlling and securing the access points' connection to the network, the wireless switch can detect a rogue access point and prevent it from invading the network.
In recognition of the WEP security problem and the exploitability of some wireless networks, the Office of the Secretary of Defense issued the Pentagon Area Common Information Technology Wireless Security Policy in July 2001, placing a moratorium on the installation and use of wireless systems. The policy was restated in September 2002. That scared federal users away from WLANs until the security standards and policy began to catch up.
The Pentagon is now working on updates and ultimately a more permanent wireless policy. "I expect the [Defense Department] will have a policy on this sometime within the next year," said Richard Hale, chief information assurance executive for the Defense Information Systems Agency. "That will force us all to buy products that have the most advanced security features."
In the meantime, DISA and other federal agencies will require FIPS 140-2 certification for WLAN equipment, a designation that most current WLAN products lack because of the inherent shortcomings of WEP. Several WLAN switches, as well as some other non-WEP wireless security products, are in the process of being evaluated for the certification.
Among other security provisions, FIPS 140-2 requires that the networking products use Advanced Encryption Standard or Triple Data Encryption Standard, which are more powerful than the protection WEP provides. FIPS 140-2 certification provides products with sensitive but unclassified security status.
By fall, Extreme Networks Inc. and reseller iGov.com likely will offer WLAN switches and some other security products with FIPS 140-2 certification on the Scientific and Engineering Workstation Procurement III contract managed by NASA. Extreme Networks also will provide the certified WLAN switches on the General Services Administration's Connections vehicle and the National Institutes of Health's Electronic Commodity Store III contract.
Later this year, Symbol Technologies Inc. will make FIPS-certified WLAN switches available through its five-year Automatic Identification Technologies II prime contract with DOD.
Wireless switches offer other benefits besides improved security that could make WLANs more appealing to government agencies. Currently, wireless users who are hitched to an access point must share the available throughput, whereas a switch connection provides each user with the total available throughput of that switch. Also, current WLAN access points must be configured and managed individually. Adding more wireless users means adding access points, which increases administrators' workloads.
Switches, on the other hand, when used in conjunction with dumb, or lightweight, access points, can centralize many tasks, such as administering the virtual private network that provides security or upgrading network software, thereby lowering the cost and management requirements of the access points.
"Switches make setting up and managing larger infrastructures easier," Hale said.
Switches will not be for everyone, though. They are best suited for larger enterprises and would probably be overkill for small deployments. Also, a lack of interoperability among vendors' products may cool some potential customers.
Officials at the Energy Department's Sandia National Laboratories in Albuquerque, N.M., are evaluating WLAN switches and access points to deter-mine which ones they want to test in the next six months. Among the products they are evaluating are some from Extreme Networks, including a wireless switch.
Extreme Networks' switches have been submitted to the National Institute of Standards and Technology for certification under FIPS 140-2. "We expect to receive FIPS certification in the next few months," said Vipin Jain, vice president and general manager of Extreme Networks' LAN access business.
"FIPS 140-2 certification is very important to Sandia," said Dallas Wiener, network systems engineer for Sandia's Advanced Network Integration. "It aids in the security approval process, and it is required for systems that handle some of our data."
For Sandia, however, the chief impediment to deploying WLAN switches is lack of vendor interoperability. "Standard protocols need to be established between wireless LAN switches, and also between wireless LAN switches and lightweight access points," Wiener said.
Despite concerns about the lack of standards for vendor interoperability, Sandia officials see the benefits of using WLAN switches.
"Many wireless LAN switches offer a number of extremely attractive features, such as...rogue access-point detection and a comprehensive centralized management solution," Wiener said. "The lower cost of the lightweight access points allows organizations to deploy more access points per room or building, providing wireless LAN users with increased coverage and throughput."
Gerber is a freelance writer based in Kingston, N.Y.