Army locks down wireless LAN

Fort Sam Houston is a prime candidate for wireless networks. The San Antonio installation is home to the commanders of the Army's medical systems and supports various military training services, including battle simulation. Because other tactical groups often conduct tests at the site, a network may be installed for a week, a few months or even a year.

On top of this, the base has 18,000 computer users and houses a number of older buildings, so running high-speed copper or fiber wiring is expensive, impractical and sometimes impossible.

Wireless local-area networks based on the popular 802.11 standards emerged as the best way to expand the base's network last year because of the easy setup and breakdown, and the minimal disruption to the existing infrastructure.

However, such an approach is not as secure as its wired counterparts, something other government agencies have discovered the hard way.

"A number of federal agencies installed wireless LANs that they thought were secure but ended up being open to eavesdroppers," said Michael Disabato, an analyst with the Burton Group, a market research firm in Salt Lake City.

For Fort Sam Houston officials, security was a high priority as they shopped for a wireless LAN. A network with security flaws was not an option. Also, officials knew that they ought to follow stricter security guidelines than the average organization.

"Previously, I worked for a large financial institution and understood that it was only a matter of time until federal agencies were forced to tighten up their network security requirements," said Matthew Albertson, senior network design engineer at the fort. "I did not want to walk into my office one morning, find a new policy directive and then have to revamp our network. So we searched for the most restrictive security standards that we could find and used them as the foundation for our selection."

Officials at the Army base determined that to prevent unauthorized access to their wireless connections, they would have to deploy a number of extra security checks.

"Current limitations with the 802.11 security features [have] created a lot of fear, uncertainty and doubt," said J.P. Gorsky, general manager for the wireless business unit at Enterasys Networks Inc., a Cabletron Systems Inc. company in Rochester, N.H. Although "there are some potential security holes, there are also steps [information technology] departments can take to close them up."

Fort officials began their search last fall and examined wireless LAN products from various vendors, including Enterasys; Cisco Systems Inc., Linksys Group Inc. and Proxim Inc.

One problem with security products is that they tend to add overhead and diminish network performance. So throughput was a top concern for base officials, who tested potential products using the largest files they could find: multiple streaming videos and high-bandwidth downloads.

The results were mixed. On the plus side, base officials found that laptop wireless cards were easy to install, had a good range and worked with a variety of brands, such as Dell Computer Corp., Toshiba Corp. and Panasonic. As far as access points — the entry points and gatekeepers to the network — were concerned, they found that throughput speeds and the number of channels available varied from vendor to vendor.

After testing the various products, base officials decided to deploy tools from multiple companies rather than go with a single vendor's solution.

"I think that you get the highest degree of security when you mix and match products because a hacker doesn't have to just break one firm's security check, he has to break all of them," Albertson said.

Who Goes There?

Network security starts with access control, which prevents unauthorized users from entering a network. Hacking into a wireless LAN can be as simple as plugging a wireless adapter card into a laptop and searching for an open link, a process similar to finding the nearest cellular phone tower when driving.

Vendors built some security functions into 802.11 wireless LAN standards, which come in two varieties: 802.11b, which operates at 11 megabits/sec, and 802.11a, at 54 megabits/sec. When granting access, these networks rely on Service Set Identifiers (SSIDs) to identify each network component.

Individual device information is verified in one of two ways. The first authentication process requires that a device supply a known SSID before being granted network access. Unfortunately, network access points constantly broadcast their SSIDs, allowing intruders to detect them with devices such as network analyzers and use that information to enter a network.

With the second technique, shared-key authentication, the access point sends each client, or node, on the network a challenge-text packet that it must encrypt and return to the access point. If the client has no key or the wrong key, authentication fails and the client cannot access the network.

However, the Institute of Electrical and Electronics Engineers Inc.'s initial shared-key authentication standard, Wired Equivalent Privacy (WEP), proved to be insecure because its key system and encryption technique were not strong enough.

To close those holes, Fort Sam Houston officials purchased an access- control system from Cisco, wireless LAN adapters from Proxim, network-access equipment from Enterasys and encryption software from Cylink Corp., based in Santa Clara, Calif. Officials chose the Cisco product because it offered the highest degree of user authentication and could be integrated with the Army base's network management system, CiscoWorks2000.

The Proxim adapters, which were installed on the base's workstations and now provide the wireless connection to the network, proved to be quite powerful.

"I expected any wireless LAN adapter to start to lose its transmission strength at about 500 feet," Albertson said. "The Proxim product delivered full transmission rates at more than 700 feet."

Fort officials purchased the Enterasys radio equipment, which plugs into a computer with a cable, to provide configuration flexibility and convenience when temporary users need to connect to the wireless LAN. Military officials from other bases regularly arrive for various training programs, such as battlefield simulations, emergency evacuations and special forces missions. They often bring their own hardware and software, so the base's network has to support a wide variety of systems.

"We needed a system that doesn't care about what encryption, operating system or configuration a PC has," said Albertson. "The Enterasys equipment plugs in the back of any computer and works with any operating system, even MS-DOS" from Microsoft Corp.

The encryption component proved to be the trickiest to find.

"With most of the current encryption options, you have to secure information with one piece of software on the receiving end and another on the client system," Albertson said. "This approach quickly becomes prohibitively expensive."

With the required software licenses and the add-on accelerator cards for the processors, it can cost as much as $6,000 per laptop, he said.

To keep costs down, officials searched for a solution in which one access control point could encrypt information for a number of devices. They found only two such products: AirFortress from Oldsmar, Fla.-based Fortress Technologies Inc. and Cylink's NetHawk, which was selected.

"With NetHawk, network management became much simpler because we had [fewer] components to monitor and fewer potential points of failure," Albertson said.

During the summer, fort officials installed a few test applications. "Initially, we tried a streaming video system operating at a speed of 30 frames per second, and it was a bit clunky," Albertson said. "Once we went to the faster 802.11a adapters, the performance issues cleared up and the network operated blindingly fast."

Fort Sam Houston is now rolling out the new system. About 60 workstations are equipped with Proxim adapters that pass information via Enterasys antennas to Cisco 3548 XL LAN switches, then through the NetHawk system, and finally onto the base's wired network. The first live applications are expected to be online this fall.

Korzeniowski is a freelance writer based in Sudbury, Mass. He can be reached at paulkorzen@aol.com.

***

Secure connection

Agency: Fort Sam Houston in San Antonio

Challenge: Army medical command needed a flexible network, one capable of supporting an ever-changing array of network connections and an antiquated physical infrastructure.

Solution: The agency purchased Cisco Systems Inc.'s Secure Access Control Server, Proxim Inc.'s 802.11b wireless local-area network cards, Cylink Corp.'s NetHawk security system and Enterasys Networks Inc.'s wireless LAN outdoor antennas.

Cost: $50,000

Benefits: The military base's new network infrastructure can be quickly and easily installed with no security holes — and in full compliance with federal guidelines.