[ISN] Army locks down wireless LAN

From: InfoSec News (isnat_private)
Date: Tue Oct 22 2002 - 01:53:44 PDT

  • Next message: InfoSec News: "[ISN] Vet the code or pay the price"

    Forwarded from: William Knowles <wkat_private>
    By Paul Korzeniowski 
    Oct. 21, 2002
    Fort Sam Houston is a prime candidate for wireless networks. The San
    Antonio installation is home to the commanders of the Army's medical
    systems and supports various military training services, including
    battle simulation. Because other tactical groups often conduct tests
    at the site, a network may be installed for a week, a few months or
    even a year.
    On top of this, the base has 18,000 computer users and houses a number
    of older buildings, so running high-speed copper or fiber wiring is
    expensive, impractical and sometimes impossible.
    Wireless local-area networks based on the popular 802.11 standards
    emerged as the best way to expand the base's network last year because
    of the easy setup and breakdown, and the minimal disruption to the
    existing infrastructure.
    However, such an approach is not as secure as its wired counterparts,
    something other government agencies have discovered the hard way.
    "A number of federal agencies installed wireless LANs that they
    thought were secure but ended up being open to eavesdroppers," said
    Michael Disabato, an analyst with the Burton Group, a market research
    firm in Salt Lake City.
    For Fort Sam Houston officials, security was a high priority as they
    shopped for a wireless LAN. A network with security flaws was not an
    option. Also, officials knew that they ought to follow stricter
    security guidelines than the average organization.
    "Previously, I worked for a large financial institution and understood
    that it was only a matter of time until federal agencies were forced
    to tighten up their network security requirements," said Matthew
    Albertson, senior network design engineer at the fort. "I did not want
    to walk into my office one morning, find a new policy directive and
    then have to revamp our network. So we searched for the most
    restrictive security standards that we could find and used them as the
    foundation for our selection."
    Officials at the Army base determined that to prevent unauthorized
    access to their wireless connections, they would have to deploy a
    number of extra security checks.
    "Current limitations with the 802.11 security features [have] created
    a lot of fear, uncertainty and doubt," said J.P. Gorsky, general
    manager for the wireless business unit at Enterasys Networks Inc., a
    Cabletron Systems Inc. company in Rochester, N.H. Although "there are
    some potential security holes, there are also steps [information
    technology] departments can take to close them up."
    Fort officials began their search last fall and examined wireless LAN
    products from various vendors, including Enterasys; Cisco Systems
    Inc., Linksys Group Inc. and Proxim Inc.
    One problem with security products is that they tend to add overhead
    and diminish network performance. So throughput was a top concern for
    base officials, who tested potential products using the largest files
    they could find: multiple streaming videos and high-bandwidth
    The results were mixed. On the plus side, base officials found that
    laptop wireless cards were easy to install, had a good range and
    worked with a variety of brands, such as Dell Computer Corp., Toshiba
    Corp. and Panasonic. As far as access points  the entry points and
    gatekeepers to the network  were concerned, they found that
    throughput speeds and the number of channels available varied from
    vendor to vendor.
    After testing the various products, base officials decided to deploy
    tools from multiple companies rather than go with a single vendor's
    "I think that you get the highest degree of security when you mix and
    match products because a hacker doesn't have to just break one firm's
    security check, he has to break all of them," Albertson said.
    Who Goes There?
    Network security starts with access control, which prevents
    unauthorized users from entering a network. Hacking into a wireless
    LAN can be as simple as plugging a wireless adapter card into a laptop
    and searching for an open link, a process similar to finding the
    nearest cellular phone tower when driving.
    Vendors built some security functions into 802.11 wireless LAN
    standards, which come in two varieties: 802.11b, which operates at 11
    megabits/sec, and 802.11a, at 54 megabits/sec. When granting access,
    these networks rely on Service Set Identifiers (SSIDs) to identify
    each network component.
    Individual device information is verified in one of two ways. The
    first authentication process requires that a device supply a known
    SSID before being granted network access. Unfortunately, network
    access points constantly broadcast their SSIDs, allowing intruders to
    detect them with devices such as network analyzers and use that
    information to enter a network.
    With the second technique, shared-key authentication, the access point
    sends each client, or node, on the network a challenge-text packet
    that it must encrypt and return to the access point. If the client has
    no key or the wrong key, authentication fails and the client cannot
    access the network.
    However, the Institute of Electrical and Electronics Engineers Inc.'s
    initial shared-key authentication standard, Wired Equivalent Privacy
    (WEP), proved to be insecure because its key system and encryption
    technique were not strong enough.
    To close those holes, Fort Sam Houston officials purchased an access-
    control system from Cisco, wireless LAN adapters from Proxim,
    network-access equipment from Enterasys and encryption software from
    Cylink Corp., based in Santa Clara, Calif. Officials chose the Cisco
    product because it offered the highest degree of user authentication
    and could be integrated with the Army base's network management
    system, CiscoWorks2000.
    The Proxim adapters, which were installed on the base's workstations
    and now provide the wireless connection to the network, proved to be
    quite powerful.
    "I expected any wireless LAN adapter to start to lose its transmission
    strength at about 500 feet," Albertson said. "The Proxim product
    delivered full transmission rates at more than 700 feet."
    Fort officials purchased the Enterasys radio equipment, which plugs
    into a computer with a cable, to provide configuration flexibility and
    convenience when temporary users need to connect to the wireless LAN.  
    Military officials from other bases regularly arrive for various
    training programs, such as battlefield simulations, emergency
    evacuations and special forces missions. They often bring their own
    hardware and software, so the base's network has to support a wide
    variety of systems.
    "We needed a system that doesn't care about what encryption, operating
    system or configuration a PC has," said Albertson. "The Enterasys
    equipment plugs in the back of any computer and works with any
    operating system, even MS-DOS" from Microsoft Corp.
    The encryption component proved to be the trickiest to find.
    "With most of the current encryption options, you have to secure
    information with one piece of software on the receiving end and
    another on the client system," Albertson said. "This approach quickly
    becomes prohibitively expensive."
    With the required software licenses and the add-on accelerator cards
    for the processors, it can cost as much as $6,000 per laptop, he said.
    To keep costs down, officials searched for a solution in which one
    access control point could encrypt information for a number of
    devices. They found only two such products: AirFortress from Oldsmar,
    Fla.-based Fortress Technologies Inc. and Cylink's NetHawk, which was
    "With NetHawk, network management became much simpler because we had
    [fewer] components to monitor and fewer potential points of failure,"  
    Albertson said.
    During the summer, fort officials installed a few test applications.  
    "Initially, we tried a streaming video system operating at a speed of
    30 frames per second, and it was a bit clunky," Albertson said. "Once
    we went to the faster 802.11a adapters, the performance issues cleared
    up and the network operated blindingly fast."
    Fort Sam Houston is now rolling out the new system. About 60
    workstations are equipped with Proxim adapters that pass information
    via Enterasys antennas to Cisco 3548 XL LAN switches, then through the
    NetHawk system, and finally onto the base's wired network. The first
    live applications are expected to be online this fall.
    Korzeniowski is a freelance writer based in Sudbury, Mass. He can be
    reached at paulkorzenat_private
    Secure connection
    Agency: Fort Sam Houston in San Antonio
    Challenge: Army medical command needed a flexible network, one capable
    of supporting an ever-changing array of network connections and an
    antiquated physical infrastructure.
    Solution: The agency purchased Cisco Systems Inc.'s Secure Access
    Control Server, Proxim Inc.'s 802.11b wireless local-area network
    cards, Cylink Corp.'s NetHawk security system and Enterasys Networks
    Inc.'s wireless LAN outdoor antennas.
    Cost: $50,000
    Benefits: The military base's new network infrastructure can be
    quickly and easily installed with no security holes  and in full
    compliance with federal guidelines.
    "Communications without intelligence is noise;  Intelligence
    without communications is irrelevant." Gen Alfred. M. Gray, USMC
    C4I.org - Computer Security, & Intelligence - http://www.c4i.org
    ISN is currently hosted by Attrition.org
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.

    This archive was generated by hypermail 2b30 : Tue Oct 22 2002 - 05:11:25 PDT