joanie_wexler
Writer

Multivendor Wi-Fi nets most secure, says gov’t lab

Opinion
Jul 4, 20053 mins

* Military rolls out its own Wi-Fi solution

The U.S. Joint Forces Command has taken a multivendor, best-of-breed approach to managing and securing Wi-Fi networks.  

A Department of Defense agency, the USJFC researches future engineering trends that will benefit integrated warfighting among military branches. Based on its own testing of Wi-Fi networking, the USJFC recommends a multilayered security and management infrastructure as a best practice to the Army, Navy, Air Force and Marines.

In its own network, for example, it uses separate vendors for access points, encryption, authentication, intrusion detection and network management. It sees a mix of best-of-breed systems as less penetrable from a security standpoint, says Tony Cerri, experiment engineering department head at USJFC.

The lab runs a wireless LAN supporting 400 users, expected to soon grow to 700. Its Cisco Aironet 1200 access point infrastructure makes heavy use of 802.11a, because its network covers a dense user population in a two-building area and needs the extra channels to avoid interference.

“Having only three nonoverlapping channels [in 802.11b and 802.11g] just doesn’t cut it,” Cerri says. 802.11a, on the other hand, supports eight to 24 channels, depending on geography.

Client devices include Fujitsu and Acer tablet PCs, Dell laptops and Vocera 802.11 voice badges.

On top of the Cisco connectivity infrastructure is an AirFortress overlay for Advanced Encryption Standard (AES) Layer 2 encryption, a Bluesocket gateway authentication network and an AirDefense sensor network for intrusion detection.

Most recently, the USJFC layered on AirWave centralized configuration and management software to help scale access point deployment. This move happened after attempting to automate access point setup with Cisco’s Wireless LAN Solution Engine (WLSE) for two months and finding it “not intuitive,” says Derek Krein, wireless engineer.

The AirWave Management Platform also gathers RF statistics for root cause analysis and enables the USJFC to define and deploy security policy and conduct security configuration audits – an important security step currently lacking in many government agencies, according to a May 2005 study by the U.S. Government Accountability Office.

Bluesocket allows pass-through authentication, enabling users to log in with the command’s Active Directory and then transparently roam across what appears as a single wireless domain. This appealed to the USJFC, because Krein says the command “isn’t comfortable deploying the 802.11i security standard until the problems with 802.1X have been solved.”

He was referring to cross-subnet roaming delays associated with two-way, mutual authentication that are particularly problematic with real-time applications such as voice. A new roaming extension to the 802.11 standard, 802.11r, is expected to solve the latency issues, but not until at least 2007.

joanie_wexler
Writer

Joanie Wexler is an independent writer and editor who has spent 20+ years writing about computer networking technologies, their business potential, and implementation considerations. She serves clients at technology companies and industry publications writing educational materials on all aspects of IT.

More from this author