Dec 31 2009

Getting a Handle on Wireless Security

Congress and the Defense Department wrestle with the technical and security issues surrounding the wireless revolution.

When the founders of the United States conceived of a federal
government, they envisioned an adaptable creature that could grow—politically,
sociologically and culturally—with the nation. What they couldn't imagine or
plan for is the ensuing technological changes, including wireless technology.

Certainly William Thornton, drawing blueprints for the Capitol building in
1792, cannot be faulted for failing to make allowances for node placement and
wireless network coverage. And George Washington never received messages
with Secure Multi-Purpose Internet Mail Extension (S/MIME) encryption from
his military commanders.

But it still leaves the man in charge of information technology networks in
the nation's Capitol building in something of a bind.

"It's a constant balance between trying
to be accessible and providing the
security that people demand in
government," says John Erickson,
CIO for the House Administration
Committee, which oversees IT projects
in the Capitol building. "Better
communication enhances our ability to
legislate, and it's the job of the IT staff to
make sure that enhanced communication
doesn't create a host of new problems."

At the Defense Contract Management
Agency (DCMA), which handles supply
and services procurement for the Defense
Department, the wireless revolution has
come in the form of BlackBerry devices.
These handheld units have become an
integral part of DCMA's business
operations, but CIO Michael Williams
recognizes their security limits.

"We can't afford to have any classified
information go over BlackBerrys, and
therefore we don't allow it," he says.

"That's a level of security we haven't
attained yet."

That's a healthy attitude, says Chris
Kozup, a wireless technologies analyst
for the META Group, a research firm in
Stamford, Conn.

"Users should worry," he advises. "This
[network security] isn't a core competency
for most organizations. "Don't assume
everything's going to work perfectly, and
don't assume that basic out-of-the-box
protections will be enough to keep your
information and network secure."

Wireless Status Symbol

BlackBerry wireless e-mail devices have
proliferated to an extraordinary degree in
Washington during the past two years.
The device's manufacturer, Research in
Motion Ltd., estimates that more than
100,000 government employees and
representatives use BlackBerry units.

"The demand is huge," says Erickson
of the House Administration Committee.
"We try to limit the usage to those
people who absolutely need them, but
everybody wants one."

Congress, the White House and DOD
have outfitted senior officials and staff
with these devices. Putting one on your
hip in the morning has become every bit
as much of a ritual to many federal
employees as putting on their shoes.

"It's made a dramatic change,"

says Carlos Solari, CIO of the Executive
Office of the President. "It's an essential
way of doing business for us. It's how
we communicate with each other these

Congress is expanding its use of
BlackBerry devices. On March 22, the
House of Representatives approved use
of voice-and-data BlackBerrys. These
devices are not a substitute for the data-only versions now in use, as service
coverage for the combination devices is
limited to inside the Capitol and other
House buildings. However, the House
Administration Committee is evaluating
whether to replace the data-only devices
with voice-and-data versions.

The move toward BlackBerrys served
as a notebook replacement program at
DCMA, says the agency's Williams. "We
made a deal with some people," he says.
" 'Turn in your laptop or you're not getting
a BlackBerry'… and they bought it."

Like Congress, DCMA is shifting
toward combination voice-and-data
units. The agency is also creating more
applications for the devices. Leave
authorization and other forms used in
the field have been turned into Web
documents that Williams hopes to
transmit via the BlackBerry platform.
With 12,000 people in an agency that
spans 900 duty stations—some with only
one person—in the United States and 24
other countries, enabling fieldwork is a
priority for DCMA.

"We're looking to take more
portability to our workforce so they don't
have to rush back to their desk,"
Williams says.

The project's main hiccup wasn't in
sending or authorizing the forms—standard identification and passwords
will be used—but in developing the Java
documents, he says.

For security, DOD required that
BlackBerry devices support encryption
protocols, including S/MIME for e-mail.
Research in Motion developed the
add-on software module.

Because the BlackBerry is being
deployed as a push technology, DCMA
hasn't built in device-level antivirus and
firewall protection. As e-mail flows
through the agency's servers, the
BlackBerry unit relies on the antivirus
software, firewall devices and intrusion-detection capabilities of the House
messaging system, which is part of DOD's
Defense Information Systems Network.

"We've had no instances of BlackBerry
devices becoming infected or
transmitting infections in any way,"
Williams says.

DCMA plans to beef up user
authentication on wireless devices. By
year's end, Williams hopes to use
ruggedized personal digital assistants to
run a wireless signature application for
materials and receipts. The application
will be based on DOD's Wide Area Work
Flow-Receipt and Acceptance (WAWF-RA)
software, which lets contractors securely
create and send electronic reports and
invoices to the government for approval.
The Marine Corps uses WAWF-RA
to track ammunition in Iraq.

"When a contractor's invoice comes in,
we can accept and pay it on the spot
and have that information automatically
logged in our systems," Williams explains.

Also on the DOD's horizon is the
wireless use of its Common Access Card
(CAC), a smart card that has public key
infrastructure authentication and
signature capabilities.

DCMA has installed card readers on
all of its desktops and has ordered card
readers for its notebooks. A limiting
factor of the cards is that "the identity
certificates on the CACs don't work with
Microsoft Active Directory for purposes
of network sign-on," Williams says.

"Soon after DOD and Microsoft
resolve the CAC-Active Directory
compatibility issue, we'll start requiring
use of CACs for network log-in
identification and authentication,"

Williams reports. After that, he expects
CAC readers for wireless devices to

Wireless on Capitol Hill

BlackBerrys aren't the only wireless
concern for federal IT executives, who
are also grappling with the mechanics of
wireless local area networks (WLANs).

"We're a year away from having some
sort of wireless 802.11 network out here
[on Capitol Hill]," says Erickson of the
House Administration Committee.

The question is how to set up roaming
subnets in old buildings. "Wireless access
points are a huge concern of ours,"
Erickson acknowledges. "They're hard to
control, so we're trying to write a firm set
of guidelines around those issues."

META Group's Kozup sees a lot of
upside in establishing an 802.11
network. "We find wireless is generally a
better solution for older buildings than
wired solutions," he says.

Ensuring that the signal propagates
throughout the building can be difficult
since thick walls can block signals. But a
site plan is useful in overcoming such
issues, Kozup notes. Existing software
tools can download computer-aided
design schematics of a building and
make recommendations about wireless
node placement.

In addition to signal failure, signal
interference can also create problems,
according to Kozup. "Just because I can
get a signal somewhere doesn't mean that
I've got it deployed properly," he points
out. "You're looking for the lowest
interference possible."

Security is another challenge. The
prevailing rule of thumb is to protect the
network at every point—the enterprise,
the data and the device.

Security Trumps RF Signals

"Don't worry about the amount of radio
frequency [RF] that leaks out of the
building," Kozup says. "You need to
ensure that the data is encrypted across
the signal, that you've got strong
authentication policies and that you have
some sort of access control. If you do that
right, just determining there's an RF
signal isn't going to do anyone any

At DCMA headquarters in Fairfax
County, Va., Williams has 0no plans to
build a WLAN. "People can go running
around in a building and get a lot done
[with a WLAN], but I've got security
concerns that outweigh that," he says.

"The current out-of-the-box encryption
available on the market is, to me, too
easily broken into."

With no guarantee of seamless
interoperability between products from
different vendors, Williams is leery of
implementing a WLAN. "We can't risk
our information security with partial
solutions," he says.

At the Capitol, Erickson faces similar
issues, but has concluded the technology
is mature and secure enough for
congressional use. "It's one of the things
we have to make work," he says.


A priority pyramid and a little paranoia can go a long way toward
ensuring the security of a wireless local area network (WLAN).

That security begins with a three-phased WLAN design: Protect the
enterprise, protect the data and protect the mobile devices, says John
Pescatore, research vice president at Gartner Inc., a research firm in
Stamford, Conn.

Deploying access points (APs) on segregated virtual private networks
limits traffic exposure and allows granular access control, but WLAN
managers must also anticipate vulnerabilities, Pescatore says.

This anticipation should begin with a site survey to identify how many
APs are required and where they should be located, according to
Pescatore. He recommends determining points at which an attacker can
attempt to connect to your APs, as well as dead spots where users may
attempt to install rogue APs.

Don't assume the devices or their operating systems are trustworthy.
"Verify trust upon access and use," he advises.

If, after your best efforts at planning end-to-end security are
completed, you think your wireless network can't be breached, you
should review Pescatore's top four security exposure scenarios:

• A lost or stolen user device contains unprotected data and network
access credentials.

• A user device is infected with a Trojan horse acquired from a Web site
that records confidential information.

• User device and virtual private network are breached by file system
exposure in a public Internet service provider.

• After any of the above attacks succeeds, a hacker engages in identity theft.
"All of this is made so much easier by a wireless LAN," Pescatore says.
Network security is everyone's business, he adds. "No one in the
enterprise is too unimportant to follow security best practices."