[ISN] USDA covers its bases with a detailed plan

From: InfoSec News (isn@private)
Date: Thu Jun 22 2006 - 00:29:54 PDT


http://www.gcn.com/print/25_16/41041-1.html

By Brad Grimes and Jason Miller
GCN Staff
06/19/06 issue

The Agriculture Department's wireless policy, updated in April through
a series of departmental notices, comprises everything from
architectural requirements to acquisition guidance.

Unlike the Defense Department's most recent wireless memorandum,
USDA's policy covers technologies such as Bluetooth and infrared
communications, which the department tightly restricts, requiring that
Bluetooth and infrared be used only between government-owned devices
or within secure government facilities.

These technologies also can only be used with strict security measures
turned on, including Encryption Mode 3, use of temporary personal
identification numbers and more.

It's a very detailed policy.

"We have 3,000 county offices where they use wireless devices, and we
have to make sure we have a policy that takes care of all our concerns
from a security perspective," said Robert Suda, USDA's associate CIO.

For instance, if an employee teleworks and uses a wireless LAN at
home, a department representative must inspect the employee's home to
ensure the use of Secure Sockets Layer protocol, virtual private
networking or the IEEE 802.11i wireless security standard with AES
encryption.

Within USDA, the policy requires the use of 802.11i. Approved two
years ago, the standard can be a hurdle for agencies that deployed
pre-802.11i networks, because the accompanying encryption algorithms
often require hardware upgrades.

USDA offices must also deploy 802.11i wireless equipment certified by
the National Institute of Standards and Technology to conform to
Federal Information Processing Standards 140-2. As in the recent DOD
wireless policy, FIPS-140-1 cryptographic modules are not acceptable.

Offices that deployed wireless networks before 802.11i came out have a
year from April to upgrade, and they're not allowed to connect their
noncompliant networks to any other USDA network without a waiver.

Aside from 802.11i requirements, USDA has taken many of the same steps
as DOD, requiring wireless intrusion detection devices and firewalls
along the wireless network. But unlike DOD, USDA is particularly
concerned with access point configuration.

The department requires X.509 certificates in all devices to
authenticate actual access points. USDA also requires that all APs be
registered with the department and maintain logs of unauthorized
access attempts for 30 days. In addition, the policy said, "APs will
be located on interior walls of buildings."

Agriculture is one of only a handful of agencies with a mature
wireless policy.

© 1996-2006 Post-Newsweek Media, Inc. 



_________________________________
Attend the Black Hat Briefings and
Training, Las Vegas July 29 - August 3
2,500+ international security experts from 40 nations,
10 tracks, no vendor pitches.
www.blackhat.com



This archive was generated by hypermail 2.1.3 : Thu Jun 22 2006 - 00:50:47 PDT