Government Computer News
Eyes front
Digg
De.licio.us
Slashdot
Technorati
Image: Susan Afsoosi
“For folks like us with a large enterprise deployment, we will have to change the architecture that we’ve spent the last three years building.”
—Derek Krein, Joint Experimentation Directorate
—Derek Krein, Joint Experimentation Directorate
DOD wireless policy: If you use it, secure it
The Defense Department is planning to sharpen its wireless networking policy by requiring the use of interoperable products built to industry standards. Seems straightforward enough. But the question is: Do industry standards jibe with government standards? Defense IT shops and civilian agencies working up their own wireless policies want to know.
The current DOD policy, spelled out last year in Directive 8100.2, requires that wireless devices use cryptographic modules validated to Federal Information Processing Standard 140-2. That requirement will not change in Directive 8100.3, said Cmdr. Stan Burlingame, a program analyst working on the DOD commercial wireless policy.
“The purpose is not to supersede the existing policy, but to add more detail,” Burlingame said. “It now [also] says you will operate your wireless LAN based on the 802.11i standard.” And that’s where the potential rub comes in.
802.11i is the robust security standard for wireless networks from the Institute of Electrical and Electronics Engineers. Experts are concerned that 802.11i and FIPS-140-2 might not be compatible. That could be significant, considering that the impact of the DOD policy, expected to be finalized this month, may be felt beyond the Pentagon.
“This could very well flow into what the rest of the federal government adopts,” Burlingame said. For example, he said he has spoken with representatives from the Agriculture Department, which also plans to mandate 802.11i for wireless.
Pros and cons
The new policy is drawing a mix of criticism and praise from industry and DOD users.
“There are pros and cons,” to using 802.11i, said Derek Krein, a wireless-security engineer with the Joint Forces Command’s Joint Experimentation Directorate in Suffolk, Va. “The pro is, it’s a standard. It sounds great on paper, but when it comes down to the technology, it’s not there yet. I’d rather have something that’s been in the field a few years before we hang our hats on it.”
Moreover, mixing the two standards, FIPS-140-2 and 802.11i, could result in a wireless system that is neither interoperable nor secure, said Mike Coop, vice president of consulting engineering for Cranite Systems Inc. of Los Gatos, Calif. Cranite is one of several companies, including Fortress Technologies Inc. of Oldsmar, Fla., and 3e Technologies International Inc. of Rockville, Md., that now provide wireless networking products meeting current DOD requirements for FIPS-140-2 encryption at the data link layer.
![1105 Government Information Group [justice]](/images/1105logo_website.gif "Government Computer News [justice]")
© 1996-2008 1105 Media, Inc. All Rights Reserved.
