How secure does your enterprise wireless LAN have to be? We’re guessing that if it was as secure a U.S. Army battlefield network, you’d be satisfied. Are we right?
The Army has decided that 802.11b networks are secure enough to carry Sensitive But Unclassified (SUB) data – if they’re protected by add-on security technology that passes the National Institute of Standards and Technology (NIST) FIPS 140-1 crytography certification process.
The Army’s Program Executive Office, Enterprise Information Systems (PEO EIS) is in fact currently implementing FIPS 140-1-compliant technology from Oldsmar FL-based Fortress Technologies Inc. (www.fortresstech.com) to beef up security on new 802.11b-based portable field network systems which it will deploy worldwide.
The Fortress technology uses 128-bit AES (Advanced Encryption Standard) to encrypt all data passing over the air, including in the subnet authentication process. The amazing thing about the Fortress technology is that before it encrypts the data it first compresses it, with the result that it actually increases throughput over standard Wi-Fi radios.
With the Combat Service Support Automated Information System Interface Project (CAISI) the Army will link small, otherwise stand-alone wired LANs in the field in a Wi-Fi “last-mile” network, and ultimately connect them into the military’s wide area mobile radio network.
The Army has committed to buying 6,000 of Fortress’s Wireless Security Gateway devices and thousands of copies of its Secure Client software. The two products are part of the company’s AirFortress security suite.
“We’ll start deploying within 60 days,” PEO EIS chief information officer (CIO) Pete Johnson told us. “I can’t talk about specifically where it will be deployed initially, but it will be used by all of the army eventually.”
The CAISI project, minus the Fortress protection, was close to going live last November when the Army suddenly woke up to fairly serious security flaws in the 802.11b protocol. It banned all use of Wi-Fi – unless networks were protected by add-on security products such as those from Fortress.
The CAISI networks are used to track maintenance of vehicles and weapons in the field and to manage field supply systems. Johnson says, “Imagine those World War II movies with guys sitting at tables in tents with clipboards and typewriters. Well, now they sit at laptop or desktop computers.”
The CAISI network architecture is interesting to say the least. In each combat unit, there will be a small network of PCs connected by CAT-5 cabling to a standard Ethernet hub.
Why not wireless for the local area? Because this way the Army doesn’t have to retrofit all its field PCs at great expense with Wi-Fi cards. Also, in some cases, the PCs are old enough that Wi-Fi card drivers may not be readily available for them, Johnson says.
Traffic destined for other field units or for any other destination outside the local unit will pass through the hub to the Fortress box where it’s encrypted, then to a standard off-the-shelf Cisco Wi-Fi access point and router.
This Wi-Fi “last mile” network is also bridged to the Army’s much lower bandwidth mobile radio data network for wide area communication.
Johnson sees two key vulnerabilities in an unprotected – or WEP-protected (which is about the same thing) – Wi-Fi network.
Using readily available hacking tools, an enemy could intercept data passed over the wireless network as part of its intelligence gathering. More importantly, the enemy could infiltrate the Army’s larger network by posing as a trusted user on a Wi-Fi subnet.
The Fortress technology eliminates those vulnerabilities.
The information passed over the CAISI network is not classified. It’s not military orders or data about field strength, but it is sensitive. If the enemy learned, for example, that helicopters were due for maintenance the next day during a certain period, they might deduce that the helicopoters would be out of action and plan military operations accordingly.
This may be a somewhat farfetched scenario, Johnson concedes. Still, just on general principle, “you don’t want anyone unauthorized reading any military information.”
He won’t say anything about what it is costing the army to deploy the Fortress technology, but Fortress itself is more than happy to provide commercial pricing. (We’re assuming the Army is paying significantly less than the going rate – but you never know.)
The Wireless Security Gateway – the hardware component – sells for $1,995, the Secure Client software for $49 per user. The catch is that every client in the wireless subnet must run the software.
Because of the data compression used, each gateway can handle a full 11 Mbps of throughput. Fortress vice presdent of marketing and corporate development John Dow estimates that standard Wi-Fi access points actually only squeeze through about 4.8 to 5.2 Mbps.
So in a high-traffic wireless LAN, you need about one gateway per two access points. A less heavily used network could make do with fewer gateways. And then there’s the client software.
The Army contract is a “marquee win” for Fortress, says Dow. But there are other significant vertical markets for the AirFortress product, including health care, manufacturing and retail.
The company’s primary competition in these markets is from traditional VPN vendors. Dow argues that while VPN technology is good for remote access, it’s not really appropriate for securing wireless LANs.
In the past, industrial strength security for any wireless network – and the AirFortress solution is protocol agnostic, working in 900MHz, 802.11x and 802.16 networks – tended to be expensive and complex, or was perceived to be.
The crucial competitive advantage for the Fortress products, Dow says, is that they’re dead simple to set up and use. The Army’s Johnson confirms this. Ease of set-up was critical for the Army given that the systems it’s deploying will have to be constantly re-configured as units move around.
“Fortress was the only [vendor we considered] that offered the kind of ease of configuration we needed,” he says.
Can you make a Wi-Fi network secure enough to satisfy one of the most security conscious organizations in the world? Yep. And if it’s good enough for the Army, we’re thinking it’s good enough for most enterprises.