Wireless World Ephraim Schwartz WLANs, the Army way
WE LIVE IN a democracy, a fact that is evident even in the corporate world which, during the past decade or so, has tried at least to build consensus. But sometimes it is hard not to admire swift, autocratic decisions made from the top.
In late 2001, researchers revealed how to break the backbone of IEEE 802.11 security based on a so-called static WEP (Wired Equivalent Privacy) key. Although corporate execs waffled on what to do while reassuring one another that the risk was small, the U.S. Army handled things its own way.
“The Army said anybody using WLANs [wireless LANs] had to shut them down. They issued a directive that you cannot run a wireless LAN … unless you were running the [NIST FIPS (National Institute Standards Technology Federal Information Processing)] standard on top of that,” said Pete Johnson, CIO of the Army’s Program Executive Office of Enterprise Information Systems in Virginia.
What that meant was anybody who had 802.11b hardware was out of luck. I relate this not just because it is a good story, but because after much searching, the Army found a level of security with which it could live. Now the Army is firing up its WLANs again, and next month it will launch project CAISI (Combat Service Support Automated Information System Interface), which will roll out 11,000 access points with 85,000 users for battlefield logistics support. The project had been postponed due to the potential for breach of 802.11 security.
Johnson says he saw a lot of “quick fixes” to the potential breach, such as rapid rekeying for WEP as ratified by the IEEE 802.11 committee, but he was not satisfied. “We don’t know what the performance hit is with rapid rekeying,” he said.
As a matter of fact, neither do its proponents. I spoke with Dennis Eaton, chairman of Wireless Ethernet Compatibility Alliance, and he said performance will depend on the processor in the access point. The Army turned to Fortress Technologies, in Tampa, Fla., for its solution: AirFortress, a stand-alone appliance and software that can process NIST FIPS high-level security.
According to Dick Hibbard, vice president of engineering at Fortress, another difference between Fortress and everybody else is that it encrypts the entire IP packet at Layer 2.
“All the other vendors encrypt at Layer 3. All of the IP header is exposed at Layer 3, source, and destination address,” Hibbard said.
But I did speak with John Pescatore, a security analyst at Gartner, in Stamford, Conn., and a former member of the National Security Agency and the FBI. Although Pescatore says Fortress offers more than most companies probably need, he also said this: “For classified information — and in the military where it can be a matter of life or death — a solution like the one Fortress offers is the way to go. It’s tamperproof.”
And that, folks, is the Army way.