joanie_wexler
Writer

Federal agencies need to improve Wi-Fi controls

Opinion
Jul 6, 20052 mins

* NIST to develop updated wireless guidelines

A study conducted by the U.S. Government Accountability Office from September 2004 to March 2005 concluded that while federal agencies are benefiting by the flexibility of wireless LANs, few have implemented the policies, best practices and tools needed to operate Wi-Fi networks securely.

In a report submitted in May to U.S. Representative William Lacy Clay (D-Mo.), the GAO summarized findings of 24 agencies surveyed and 6 agencies visited on-site. Specifically, the study found that:

* Nine federal agencies have not issued policies on wireless networks.

* Thirteen agencies reported not having established requirements for configuring or setting up wireless networks in a secure manner.

* The majority of federal agencies lack wireless network monitoring to ensure compliance with agency policies, prevent signal leakage and detect unauthorized wireless devices.

The report recommends that the Director of the Office of Management and Budget instruct federal agencies to ensure that wireless network security is incorporated into their agency-wide security programs in accordance with the Federal Information Security Management Act. FISMA requires each agency to develop, document and implement an information security program for its information systems.

Also, the National Institute of Standards and Technology (NIST) develops standards that agencies are required to follow and recommends steps for protecting information. According to the GAO report, NIST is in the process of updating its 2002 “Wireless Network Security: 802.11, Bluetooth and Handheld Devices,” a guide to building secure wireless networks, to bring it more in line with current architectures and tools.

In the meantime, centralized management systems that enable policy setting, enforcement and auditing can help fulfill some of the GAO’s suggestions. Note that the U.S. Joint Forces Command, discussed in the last newsletter, is using the AirWave Management Platform as a centralized platform for defining security policy. The platform also continually audits the Wi-Fi infrastructure to ensure that all devices are accurately configured to enforce that policy.

The AirWave system can also identify unauthorized devices on the network (or integrate with a third-party sensor network to do so) and, as a management system, can trigger the automatic shutdown of the rogue devices it discovers.

joanie_wexler
Writer

Joanie Wexler is an independent writer and editor who has spent 20+ years writing about computer networking technologies, their business potential, and implementation considerations. She serves clients at technology companies and industry publications writing educational materials on all aspects of IT.

More from this author