Army locks down wireless LAN

[InfoSec News <isn () c4i org>]

Forwarded from: William Knowles <wk () c4i org>

http://www.fcw.com/fcw/articles/2002/1021/spec-army-10-21-02.asp

By Paul Korzeniowski 
Oct. 21, 2002

Fort Sam Houston is a prime candidate for wireless networks. The San
Antonio installation is home to the commanders of the Army's medical
systems and supports various military training services, including
battle simulation. Because other tactical groups often conduct tests
at the site, a network may be installed for a week, a few months or
even a year.

On top of this, the base has 18,000 computer users and houses a number
of older buildings, so running high-speed copper or fiber wiring is
expensive, impractical and sometimes impossible.

Wireless local-area networks based on the popular 802.11 standards
emerged as the best way to expand the base's network last year because
of the easy setup and breakdown, and the minimal disruption to the
existing infrastructure.

However, such an approach is not as secure as its wired counterparts,
something other government agencies have discovered the hard way.

"A number of federal agencies installed wireless LANs that they
thought were secure but ended up being open to eavesdroppers," said
Michael Disabato, an analyst with the Burton Group, a market research
firm in Salt Lake City.

For Fort Sam Houston officials, security was a high priority as they
shopped for a wireless LAN. A network with security flaws was not an
option. Also, officials knew that they ought to follow stricter
security guidelines than the average organization.

"Previously, I worked for a large financial institution and understood
that it was only a matter of time until federal agencies were forced
to tighten up their network security requirements," said Matthew
Albertson, senior network design engineer at the fort. "I did not want
to walk into my office one morning, find a new policy directive and
then have to revamp our network. So we searched for the most
restrictive security standards that we could find and used them as the
foundation for our selection."

Officials at the Army base determined that to prevent unauthorized
access to their wireless connections, they would have to deploy a
number of extra security checks.

"Current limitations with the 802.11 security features [have] created
a lot of fear, uncertainty and doubt," said J.P. Gorsky, general
manager for the wireless business unit at Enterasys Networks Inc., a
Cabletron Systems Inc. company in Rochester, N.H. Although "there are
some potential security holes, there are also steps [information
technology] departments can take to close them up."

Fort officials began their search last fall and examined wireless LAN
products from various vendors, including Enterasys; Cisco Systems
Inc., Linksys Group Inc. and Proxim Inc.

One problem with security products is that they tend to add overhead
and diminish network performance. So throughput was a top concern for
base officials, who tested potential products using the largest files
they could find: multiple streaming videos and high-bandwidth
downloads.

The results were mixed. On the plus side, base officials found that
laptop wireless cards were easy to install, had a good range and
worked with a variety of brands, such as Dell Computer Corp., Toshiba
Corp. and Panasonic. As far as access points — the entry points and
gatekeepers to the network — were concerned, they found that
throughput speeds and the number of channels available varied from
vendor to vendor.

After testing the various products, base officials decided to deploy
tools from multiple companies rather than go with a single vendor's
solution.

"I think that you get the highest degree of security when you mix and
match products because a hacker doesn't have to just break one firm's
security check, he has to break all of them," Albertson said.

Who Goes There?

Network security starts with access control, which prevents
unauthorized users from entering a network. Hacking into a wireless
LAN can be as simple as plugging a wireless adapter card into a laptop
and searching for an open link, a process similar to finding the
nearest cellular phone tower when driving.

Vendors built some security functions into 802.11 wireless LAN
standards, which come in two varieties: 802.11b, which operates at 11
megabits/sec, and 802.11a, at 54 megabits/sec. When granting access,
these networks rely on Service Set Identifiers (SSIDs) to identify
each network component.

Individual device information is verified in one of two ways. The
first authentication process requires that a device supply a known
SSID before being granted network access. Unfortunately, network
access points constantly broadcast their SSIDs, allowing intruders to
detect them with devices such as network analyzers and use that
information to enter a network.

With the second technique, shared-key authentication, the access point
sends each client, or node, on the network a challenge-text packet
that it must encrypt and return to the access point. If the client has
no key or the wrong key, authentication fails and the client cannot
access the network.

However, the Institute of Electrical and Electronics Engineers Inc.'s
initial shared-key authentication standard, Wired Equivalent Privacy
(WEP), proved to be insecure because its key system and encryption
technique were not strong enough.

To close those holes, Fort Sam Houston officials purchased an access-
control system from Cisco, wireless LAN adapters from Proxim,
network-access equipment from Enterasys and encryption software from
Cylink Corp., based in Santa Clara, Calif. Officials chose the Cisco
product because it offered the highest degree of user authentication
and could be integrated with the Army base's network management
system, CiscoWorks2000.

The Proxim adapters, which were installed on the base's workstations
and now provide the wireless connection to the network, proved to be
quite powerful.

"I expected any wireless LAN adapter to start to lose its transmission
strength at about 500 feet," Albertson said. "The Proxim product
delivered full transmission rates at more than 700 feet."

Fort officials purchased the Enterasys radio equipment, which plugs
into a computer with a cable, to provide configuration flexibility and
convenience when temporary users need to connect to the wireless LAN.  
Military officials from other bases regularly arrive for various
training programs, such as battlefield simulations, emergency
evacuations and special forces missions. They often bring their own
hardware and software, so the base's network has to support a wide
variety of systems.

"We needed a system that doesn't care about what encryption, operating
system or configuration a PC has," said Albertson. "The Enterasys
equipment plugs in the back of any computer and works with any
operating system, even MS-DOS" from Microsoft Corp.

The encryption component proved to be the trickiest to find.

"With most of the current encryption options, you have to secure
information with one piece of software on the receiving end and
another on the client system," Albertson said. "This approach quickly
becomes prohibitively expensive."

With the required software licenses and the add-on accelerator cards
for the processors, it can cost as much as $6,000 per laptop, he said.

To keep costs down, officials searched for a solution in which one
access control point could encrypt information for a number of
devices. They found only two such products: AirFortress from Oldsmar,
Fla.-based Fortress Technologies Inc. and Cylink's NetHawk, which was
selected.

"With NetHawk, network management became much simpler because we had
[fewer] components to monitor and fewer potential points of failure,"  
Albertson said.

During the summer, fort officials installed a few test applications.  
"Initially, we tried a streaming video system operating at a speed of
30 frames per second, and it was a bit clunky," Albertson said. "Once
we went to the faster 802.11a adapters, the performance issues cleared
up and the network operated blindingly fast."

Fort Sam Houston is now rolling out the new system. About 60
workstations are equipped with Proxim adapters that pass information
via Enterasys antennas to Cisco 3548 XL LAN switches, then through the
NetHawk system, and finally onto the base's wired network. The first
live applications are expected to be online this fall.

Korzeniowski is a freelance writer based in Sudbury, Mass. He can be
reached at paulkorzen () aol com.

***

Secure connection

Agency: Fort Sam Houston in San Antonio

Challenge: Army medical command needed a flexible network, one capable
of supporting an ever-changing array of network connections and an
antiquated physical infrastructure.

Solution: The agency purchased Cisco Systems Inc.'s Secure Access
Control Server, Proxim Inc.'s 802.11b wireless local-area network
cards, Cylink Corp.'s NetHawk security system and Enterasys Networks
Inc.'s wireless LAN outdoor antennas.

Cost: $50,000

Benefits: The military base's new network infrastructure can be
quickly and easily installed with no security holes — and in full
compliance with federal guidelines.



*==============================================================*
"Communications without intelligence is noise;  Intelligence
without communications is irrelevant." Gen Alfred. M. Gray, USMC
================================================================
C4I.org - Computer Security, & Intelligence - http://www.c4i.org
*==============================================================*



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.