DoD issues wireless defense orders

After two years of internal policy debate, the U.S. Department of Defense last week issued rules that all branches of the military - as well as contractors and visitors - must follow to secure commercial wireless equipment and services.

In particular, wireless LANs have raised Defense Department concerns because unencrypted traffic easily is intercepted through over-the-air "sniffing." The Defense Department's Directive 8100.2 requires any new military purchases of wireless equipment and services for unclassified data to use encryption. The encryption has to have gone through the National Institute of Standards (NIST) and Technology's Federal Information Processing Standard (FIPS) 140-2 cryptographic validation program. The Pentagon - which left room for exceptions on a case-by-case basis - also called the encryption of unclassified voice traffic "desirable."

FIPS 140-2 testing isn't easy, vendors point out. It took Fortress Technologies 18 months and more than $100,000 to get its products through the FIPS 140-2 testing process done by Coact, a NIST-accredited lab in Columbia, Md.

Wireless still is viewed as so risky, though, that Directive 8200.1, signed by Deputy Secretary of Defense Paul Wolfowitz, forbids use of wireless devices for storing or sending the more-secret classified data. In this case, the military authorities would have to give written permission and would require non-commercial encryption provided by the National Security Agency.

That doesn't surprise Maurice Smith, network security manager in the Fort Meade, Md., Army unit that handles toxicology analysis to check soldiers for illegal drug use. "We just don't allow wireless," says Smith, adding that his organization encrypts sensitive information about drug tests. The Army's toxicology division blocks access from the Internet with a Symantec 5420 multi-use gateway, which also runs anti-spam and anti-virus software.

Directive 8200.1 also contains a mandate requiring anti-virus software on wireless-capable handhelds and workstations. And the new rules forbid downloading of mobile code from sources not related to the Defense Department.

The directive gives the Army, Navy, Air Force and other military groups up to 180 days to report to Pentagon CIO Francis Harvey on implementation plans for new and legacy systems. But with discussion ongoing for some time between military departments, industry and the Pentagon, few expect wireless projects to go off-track.

In many instances, it's evident the Army, Navy and Air Force are taking different approaches to WLAN security.

Systems integrator Xacta, a Telos company, is assisting in the installation of campus-style WLANs based on the Cisco Model 1200 access points at more than 50 Air Force bases.

"The Air Force has decided it will use a VPN" to meet Defense Department encryption requirements, says Tom Badders, Xacta director of wireless networking. The Air Force selected a Cisco 3000 series VPN that already has passed FIPS 140-2 certification. The Navy is looking at using 3e Technologies' wireless access point, which also has passed the FIPS 140-2 cryptography tests, he says.