[ISN] Pentagon prohibits wireless, citing security reasons

From: InfoSec News (isnat_private)
Date: Sun Sep 29 2002 - 23:18:39 PDT


By Ellen Messmer
Network World Fusion 

The Office of the Secretary of Defense has issued a memorandum that
prohibits the use of many types of wireless technologies in the
Pentagon and much of the Army, Navy and Air Force until the military
has developed a wireless security strategy, which it expects to do
with assistance from the National Security Agency.

John Stenbit, assistant secretary of Defense for Command Control and
Communications and the Defense Department's chief information officer,
signed the memorandum along with the OSD's acting director of
administration and management, Howard Becker. Attached to the memo,
which pertains to use of wireless in the military's IT networks, is a
document entitled "Pentagon Area Common Information Technology
Wireless Security Policy." The document elaborates on the dangers of
wireless to network security and the steps the Penatgon and its
service branches are taking to come to grips with it. The decision on
wireless had been expected for several months.

Because wireless technologies, particularly wireless LANs, bring with
them new ways to break into networks, the Pentagon has decided to
prohibit the connecting of wireless devices to a classified network or
computer, the document states.

Use of some types of wireless devices will be allowed for unclassified
data only. These devices would include cellular telephones and
personal digital assistants "in areas where unclassified information
is electronically stored, processed or transmitted." In addition,
according to the document, "they would also be allowed in areas where
unclassified information is stored" and "when there is a documented
operational need."

The Penatgon's wireless security policy document specifically notes
that the prohibitions on wireless do not pertain to "land mobile,
emergency, and tactical radios and one-way receive-only devices."

"Given the exploitable vulnerabilities inherent in current wireless
products and technologies and the interdependence of Defense and
Pentagon networks, it is essential and expected that all tenants will
strictly adhere to this policy," Stenbit stated in the Sept. 25 memo.  
Stenbit notes that the OSD has asked the National Security Agency to
"develop a Wireless Technology Vulnerabilities Database" for the
Defense Department.

The document released by the Defense Department establishes a policy,
definitions and responsibilities to eliminate vulnerabilities
associated with wireless technologies, with the expectation of an
annual review of the policy.

It reiterates standing notions of security for voice, data and video,
network servers, LANs and telecommunications, noting that all need to
protect against intrusion, disabling and failure to authenticate
users. A particular goal is to ensure that user authentication of
Defense Department information transferred via wireless computing
devices takes place and to ensure that there will be no adverse impact
to critical Defense Department operations if wireless computing
devices and supporting infrastructure are rendered inoperable.

The document recommends that military's "network-capable, wireless
computing devices" use security mechanisms that include password
protection or authentication based on public-key certificates or
biometrics, among other technologies. In addition, wireless devices
must conform to Defense Department guidelines for intrusion detection,
auditing, monitoring, encryption and virus protection.

The document points to concerns that wireless LANs and other types of
wireless technologies may enable remote eavesdropping and unauthorized
entry into Pentagon systems if not used with the appropriate security.

The Pentagon wireless security document asks defense agencies to
record and gain certification for any wireless information systems
they use, and to conduct an audit to detect unauthorized wireless
information systems.

ISN is currently hosted by Attrition.org

To unsubscribe email majordomoat_private with 'unsubscribe isn'
in the BODY of the mail.

This archive was generated by hypermail 2b30 : Mon Sep 30 2002 - 03:17:54 PDT