DOD toughens up wireless LAN security rules
Besides tougher and encryption standards, the new policy also requires intrusion detection systems that can geo-locate hackers or rogue access points.
The Defense Department has tightened policies on the use of wireless local-area networks (WLANs), in a memo released earlier this month, which requires beefed up encryption and security since the last DOD wireless policy memo was released in April 2004.
Besides tougher and encryption standards, the new policy also requires all 802.11a, b and g DOD WLAN systems to be equipped with an around-the-clock intrusion detection system that can geo-locate hackers or operators of rogue access points.
The new DOD WLAN policy, signed by the assistant secretary of Defense for networks and information integration June 2, 2006, states that any WLAN products connected to the DOD Global Information Grid must be certified and validated for secure end-to-end communications and interoperability.
The policy guidance specifies that DOD WLAN equipment must:
- Adhere to the National Institute of Standards and Technology Federal Information Processing Standard 140-2, which incorporates the 128 or 256 Advanced Encryption Standard (AES) or the Triple Digital Encryption Standard (Triple DES) role-based authentication and tamper -resistant physical security.
- Meet Common Criteria of the National Information Assurance Partnership (NIAP) operated by NIST and the NSA.
- Pass end-to-end interoperability tests run by Joint Interoperability Test Command.
- Be certified by the industry Wi-Fi Alliance as meeting commercial Wireless Protected Access 2, which supports AES and tough user authentication standards.
- Meet NIST data at-rest and data in-transit standards.
- Have personal firewalls.
- Use NIAP antivirus software.
- Use industry standard 802.11i authentication and encryption in 2007 in all DOD components with a configuration that insures use only with AES configured with cipher-block -chaining message authentication code protocol and not Triple DES.
The intrusion detection system of the new WLAN policy did not exist in 2004, reflecting the realities of outside probes and attacks on WLANs and the potential security holes that could result if insiders attach rogue or unauthorized access points or devices to a network.
Amit Sinha, chief technology officer at AirDefense, which has sold its intrusion detection system to a wide range of federal government clients, said the intrusion detection policies reflect the reality of what his customers inside and outside government are demanding.
The AirDefense system consists of sensors that monitor airwaves in and around a building for unauthorized users. That information is dispatched to a central console, which can monitor stand-alone WLANs or enterprise networks spanning the globe.
NEXT STORY: Survey: Contractors caught in clearances pinch