Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

U.S. Government Certified Wireless Security Products?

Cliff posted more than 12 years ago | from the sniff-mah-encrypted-wireless-traffik dept.

Security 132

superid asks: "Our facility is just beginning to install small wireless 802.11b networks to support our office developers and staff. I think most people end up happy with wireless and enjoy the freedom. Our little branch office has about 100 people and our whole facility has close to 3000 people, so it's reasonable to expect our wireless needs to grow. However, I have just received an email, sent to all network administrators of our facility, directing us to shut down all wireless devices until they are certified by our Information Security department. Of course I'm not surprised by this. I'm aware of the problems with WEP and tools like airsnort. I know there are numerous security products and projects, but can any of them trace a lineage back to FIPS? Wouldn't it be a major victory to see an OSS product listed as validated by NIST?"

"Here are the certification requirements:

Encryption must be implemented end-to-end over an assured channel and shall meet the FIPS 140-1 or 140-2, Overall Level 2 (Triple-DES or AES) standard, at a minimum.
I know there are uncertified software solutions, but for ease of integration, our office has chosen AirFortress for a hardware solution. This will run us about $2,500 for our small office and is quite reasonable. However, it would be nice if there was an Open Source solution as well. The difference is that any OSS solution must be 'certified'."

cancel ×

132 comments

Sorry! There are no comments related to the filter you selected.

first post? (-1, Offtopic)

getter_85 (464748) | more than 12 years ago | (#3788097)

eh? did I make it?

Re:first post? (-1)

perl_god (578135) | more than 12 years ago | (#3788125)

NO you did not; if you have to ask, "did I get it",
any FP-ness is negated. The first post for this thread
belongs to the See Ell Eye Tee

You should post with more confidence in the future.

Re:first post? (-1)

CLIT (581942) | more than 12 years ago | (#3788163)

Be easy on the n00b. Allow him free entry into the CLIT, and also let him give pr0pz to TrollBridge [slashdot.org] by joining his friends list.

Re:first post? (-1)

perl_god (578135) | more than 12 years ago | (#3788210)

Apologies if I seemed too harsh --
I meant simply to encourage our friend to revel
in the glory of the first post...
It's a beautiful thing!
Let us give the maddest of pr0pX0rz to our brethren!

Re:first post? (-1)

Dead Fart Warrior (525970) | more than 12 years ago | (#3788416)

Incentive is needed for joining.

Like great quality pr0n, damnit!

fags (-1, Flamebait)

Anonymous Coward | more than 12 years ago | (#3788102)

you heard me.

The crazy thing is... (-1)

perl_god (578135) | more than 12 years ago | (#3788103)

I wasn't even *trying* to get FP!

madpropz2daclit

Fags! (-1, Troll)

Anonymous Coward | more than 12 years ago | (#3788106)

I hope you die choking on your own feces!

to state the obvious (1, Insightful)

Anonymous Coward | more than 12 years ago | (#3788117)

this make sound kind of stupid, but how do you *know* that a government certification actually makes something secure?

Re:to state the obvious (1)

saphena (322272) | more than 12 years ago | (#3788216)

We don't *know* that a government certification actually makes something secure in fact the opposite might be true - government certification makes it *less* secure.


The problem is often that any certification is deemed to be better than none and governments (civil servants) generally like things to fit into boxes they can tick

Re:to state the obvious (0)

Anonymous Coward | more than 12 years ago | (#3788354)

Just out of curiosity, can you name more than 1 thing that was _made_ 'less secure'?

The government is comprised of people just like you or I. If there is a mandate to make something inherently insecure, it would probably be some sort of secret, rather than an open policy to test something; as is what is going with the question from the original author.

Now, do I think that the 'government' is always out for our own best interests? Sure. Do I think it always happens? No. There will always be those people who can make key decisions that will botch that up.

Re:to state the obvious (1)

MindStalker (22827) | more than 12 years ago | (#3788411)

Back when the government was pushing for key escrow, sure. Nowadays, no I doupt it.

Re:to state the obvious (1)

BethLogic (561055) | more than 12 years ago | (#3788426)

He listed two certifications, FIPS 140-1 and 140-2, that NIST has given. Both are Cryptographic Testing Modules that help certify that they crypto stuff that you are using is "reasonably" secure. The module coveres many areas such as key management and the generation of random numbers. More information about 140-2 (the later version) can be found: FIPS 140-2 [nist.gov] . And NIST doesn't actually test the equipment themselves, any vendor wishing to put that certification on their product must test it.

The Computer Security Division of NIST spends a lot of time researching what works and what doesn't. They (NIST) are a centralized body given the power (responsibility?) to design good standards and publish them for the US to use. And that is how you know that something is secure.

Re:to state the obvious (1)

idletask (588926) | more than 12 years ago | (#3788578)

Parent of this modded as 0? Excuse me but the guy is so right that his comment deserved a 3+. Government certification AFAIK doesn't guarantee your privacy in any way.

Come on, think a little... When it comes to security *of network communications*, any agency, whether it be private funded or State funded, cannot be trusted, EXCEPT if they prove MATHEMATICALLY that what you transmit cannot be deciphered, if at all, at least for a very long period of time. The good thing with maths is that demonstrations can be trusted. No such thing can be said from any other science.

I've yet to see any "certification agency" giving mathemaitcal proof that what it "certifies" is secure at all. RSA has lived long enough because it has been proven MATHEMATICALLY that breaking it would require YEARS of computer crunching to break at the highest levels (who uses <=1024bit RSA keys today?).

Of course, maths are still (always, for that matter) a work in progress, and what is true with RSA today may not be true anymore tomorrow (Bernstein's hypothetical prime-number-breaking machine has not been implemented yet AFAIK, and even if it were... well, let's just wait and see).

Encrypted VPNs are certainly a good choice, apart from any certification wahwah. But then be sure to choose an encryption scheme which is MATHEMATICALLY PROVEN to be strong enough for your needs. And if part of your scheme is based on public cryptography, ensure that private keys never travel "through the air", but that's pretty obvious.

Re:to state the obvious (1)

FrEaK7782 (588564) | more than 12 years ago | (#3788642)

Of course, even if they're mathematically proven "strong", it doesn't mean that it won't be broken tomorrow. Your security relies on the hope that no one will find a faster way to solve the discrete log problem(RSA) or worst yet, find a flaw in the design that enables linear-time decode. It's really just luck... or maybe reliance on the lack of ingenuity of man(which I wouldn't rely on).

What a stupid article (-1, Troll)

Anonymous Coward | more than 12 years ago | (#3788131)

Isnt open sores software great! No its not great! It sucks! Microsoft makes more money in one day than all open sores software companies make in a year! IDIOTS!

Got your wireless right here (0)

Anonymous Coward | more than 12 years ago | (#3788132)

No really, here it is. It's cool! Up to 7 feet away from the base station and it's still working great. I'm going to try to double that with the next version. I'm reading up on those antenna things. I get the impression that would help a lot. Man, technology sure is great.

Re:Got your wireless right here (1)

comatose6032 (589008) | more than 12 years ago | (#3788386)

http://www.signull.com low priced 802.11b wifi antennas

Why government certified? (3, Interesting)

Zach` (71927) | more than 12 years ago | (#3788139)

Why do we jump to have the government certify our electronic devices, standards, and protocols? Why can't we merely rely on the private sector to develop sound products? Why don't we fight for LESS government and LESS government intervention? How much control over your daily lives do you want the government to have?

Many Slashdot readers are "liberal" or "left-leaning" and are opposed to the War on Drugs and drug laws in general. If you don't like the government telling you what you can and cannot put in your body, why are you so eager to have the government tell you what it thinks the best and worst products are? Let the private sector handle this.

Re:Why government certified? (0, Offtopic)

gmhowell (26755) | more than 12 years ago | (#3788159)

Being opposed to the war on drugs is a traditional conservative view point. What another man does that doesn't bother me is his own business. Traditionally, abortion rights supporters were conservatives.

But, since '72 or '80, depending on how you look at things, it's all been flopped around and mixed up.

Re:Why government certified? (4, Informative)

CodeMonky (10675) | more than 12 years ago | (#3788168)

Because it's standard.
Because it's perceived as good.
Because if you want to get a government contract you better meat government standards.
Because the government is supposed to have what is best for the people in mind.
Because private corporations have what is best for them in mind and really want you to pay for their product and not their competitors.

Re:Why government certified? (1)

CodeMonky (10675) | more than 12 years ago | (#3788187)

sigh.
s/meat/meet/

Re:Why government certified? (0)

Anonymous Coward | more than 12 years ago | (#3788192)

Because the government is supposed to have what is best for the people in mind.
Because private corporations have what is best for them in mind and really want you to pay for their product and not their competitors.

The two most important things I've seen so far. While corporations always have their own best interests first, last and only, the government theoretically should have the interests of the people first.

There's no guarantee that they do, of course, but it's a hell of a lot better than dealing with people who pointedly aren't looking out for you at all. :)

Re:Why government certified? (1)

DeltaSigma (583342) | more than 12 years ago | (#3788171)

What I got from reading the story was that this guy works in a government facility, is contracted to a government branch, or is employed by the government...

...maybe that was just me though.

Re:Why government certified? (4, Insightful)

RollingThunder (88952) | more than 12 years ago | (#3788186)

Why?

Simple. The government has several large groups of people paid very well to be professionally paranoid, and to whom cost isn't a real concern - only the actual validity of the security.

Therefore, if THEY say that it's secure, you've got a pretty good chance of it being good enough. Much better than trusting that Vendor XYZ's pretty shiny brochure says "secure!" five times, and no negative reviews show up online.

Trust the experts. In this case, many of the experts happen to work for the government. If they worked in the private sector (and some do, but not most, and they're almost all biased), I'd look to them to certify things.

Re:Why government certified? (2)

Vengie (533896) | more than 12 years ago | (#3788195)

NIST CERTIFICATION!
Government contracting ETC. must comply with GOVERNMENT STANDARDS in order to get GOVERNMENT MONEY. (I'm working at a Nuclear Research Lab that makes radiation detection -- PROTECTION EQUIPMENT -- that the US customs are using in the new port monitoring operations -- and we have to comply with nist standards) If you want a government paycheck, obey government rules.

Re:Why government certified? (3, Insightful)

CaffeineAddict2001 (518485) | more than 12 years ago | (#3788214)

Because individual corporations are too self-centered and greedy to agree on a standard and stick to it.

Re:Why government certified? (1)

billstr78 (535271) | more than 12 years ago | (#3788228)


Why can't we merely rely on the private sector to develop sound products? Why don't we fight for LESS government and LESS government intervention? How much control over your daily lives do you want the government to have?


Becuase alot of companies are too busy trying to be first to market and not really interested making secure bullet-proof products. This persons company is obviously trying to make WEP solutions safe in thier building and see FIPS certification as the most reliable means of ensuring that securtiy. I only wish M$ software had to undergo these sort of goverment tests!

The advantage with having the government certify your transport protocols is that you have _one_ central organization that has _one_ standard and not a mess of differing ways of transfering data just to get around patents and proprietary closed means.

Why the W3C or any other standards organization? Becuase open sensible standards make sence and benifit everyone who participates.


Liberal philosophy (1)

Banner (17158) | more than 12 years ago | (#3788239)

Because the Liberal Philosophy is Government Control and Central Authority. DUH!!

Re:Why government certified? (3, Insightful)

Squeamish Ossifrage (3451) | more than 12 years ago | (#3788247)

Well, I think there's a big difference between "government regulation" and "government certification." Regulation is forcing you to do (or not do) something, while a certification is just providing information. As long as the certification isn't legally mandated, this doesn't strike me as bein so big a problem: It may be wasteful or stupid, but it's not opressive.

I tend to dislike government involvement at least as much as the next guy (which is sort of ironic, considering what I do [lockheedmartin.com] ) but this seems fairly reasonable. One thing that governments have done for a long time [hants.gov.uk] is establish standards (especially units of measure) and test whether products live up to their claims vis a vis those standards. I don't think it's that big a jump from certifying that a "pound" of flour really weighs a standard pound to certifying that a wireless networking hub offers the security it claims to.

Off topic (0)

Anonymous Coward | more than 12 years ago | (#3788415)

Oooh! A web site with a corporate theme! It reminds me of the old National Geographic theme

Re:Why government certified? (5, Insightful)

gwernol (167574) | more than 12 years ago | (#3788255)

Why do we jump to have the government certify our electronic devices, standards, and protocols? Why can't we merely rely on the private sector to develop sound products?

The private sector has a really poor track record of developing independent standards by which products can be compared. One of the main purposes of a business is to develop competitive advantage over its rivals, this is counter to the notion of having universal standards against which your products are measured.

This is (IMHO) a great example of where the government can provide a useful service to citizens that the private sector is unlikely to generate. A standard certification means that I can compare and contrast products from different manufacturers. I don't have to takes Manufactuer X's claim of "superior security protocols" at face value, I can see whether it meets certain well-defined criteria.

Its this kind of oversight that ensures that something like a true free market can operate. A true free market requires consumers to have excellent/perfect information with which to compare products. Private enterprise is incented to stifle the flow of such information - see recent attempts by companies to use copyright law prevent the publication of independent reviews of their products. We need a government - which ideally is free from commercial biases - to provide enough regulation and guidance to enable a true free market to operate.

Why don't we fight for LESS government and LESS government intervention...

If you don't believe there are lots of people doing exactly this you are very much misinformed. If you believe we should all fight for such things you don't understand people and you don't understand democracy.

Re:Why government certified? (2)

SquadBoy (167263) | more than 12 years ago | (#3788287)

We don't let the government tell us what products are good or bad but the sad fact of life is many of us work in sectors that are heavily regulated. Yes this should change but no it is not going to anytime soon and in the meantime people like myself have work to do. Also a government cert is in many cases CYA it can be a strong defense in a court case. This is why for example all my networks have to meet many DoD standards even though I have *nothing* to do with the DoD. In the case that something should happen my ass is covered. Sad but true. And yes I do work in my off hours to try and change this.

Re:Why government certified? (5, Funny)

American AC in Paris (230456) | more than 12 years ago | (#3788369)

Why do we jump to have the government certify our electronic devices, standards, and protocols? Why can't we merely rely on the private sector to develop sound products? Why don't we fight for LESS government and LESS government intervention? How much control over your daily lives do you want the government to have?

Many Slashdot readers are "liberal" or "left-leaning" and are opposed to the War on Drugs and drug laws in general. If you don't like the government telling you what you can and cannot put in your body, why are you so eager to have the government tell you what it thinks the best and worst products are? Let the private sector handle this.

An excellent point, my "conservative" or "right-leaning" friend!

I, for one, trust the private sector to make important standards decisions [microsoft.com] in a just and unbiased [rambus.com] manner. I know that can count on private enterprise to interact with the public an an open and honest [enron.com] fashion, and think that your average board of directors [worldcom.com] has a much better handle on what's going on with their company [xerox.com] than some hare-brained committee of bureaucrats has over some bloated, complex government scheme.

Besides, I don't want such important things left up to some government agency that could disappear from the face of the planet in an instant [fuckedcompany.com] --no, thank you, I'll take private enterprise any day. They're really looking out for what's best for me [riaa.com] .

...perhaps we should look to Europe [rail.co.uk] for examples of how to do things properly...

Re:Why government certified? (2)

elefantstn (195873) | more than 12 years ago | (#3788475)

I was going to make a list of government screwups to counter your business screwups, but I have a wedding to go to next Saturday.

Re:Why government certified? (1)

American AC in Paris (230456) | more than 12 years ago | (#3788569)

I was going to make a list of government screwups to counter your business screwups, but I have a wedding to go to next Saturday.

...then consider this the scathingly witty retort I would have written to the reply you were going to write. Enjoy the wedding!

All in good fun,
AAiP

Re:Why government certified? (3, Insightful)

Fizzlewhiff (256410) | more than 12 years ago | (#3788400)

Umm.... The writer works in a government facility and is asking about wireless products that meet government standards for security.

This isn't about bigger government or any other conspiracy where in order to buy new hardware it has to have passed government inspectors. Relax, you won't be seeing a purple USDA stamp of approval on your NIC any time soon, unless it is made out of beef. Mmmmmm... 802.11beef, its what's for dinner.

Re:Why government certified? (1)

T-Ranger (10520) | more than 12 years ago | (#3788424)

Uh, the government has standards and certifications for lots of things:
  • building codes
  • vechile safety standards
  • labour codes (OHSA/WHMIS, etc)
  • enviromental standards; air/water polution
Developing standards should be a open colabarative process but when lives or property are at risk, that is when you want to enforce standards then you need government to do it. The orig poster dosent mention if he is in the gov, or a subcontractor. If thats the case then of course it should be the gov enforcing a standard. But it could be read a different way where he is in a org unrelated to the gov, but the gov standard is mearly a measuring stick. And thats resonable. His orgs management decided that they should have network security, so rather then develop there own standard they copy someone elses. No one is stomping on your precious rights here.

Government standards (2)

Interrobang (245315) | more than 12 years ago | (#3788486)

Also, we have hopes that it's a lot easier to make governments pick a standard and stick to it, collectively (as in ISO [www.iso.ch] ), although it can be hard to get them to agree, say, ANSI vs CSA standards and so on...

By the way, T-Ranger, my Canadian confrere, most of the Yanks on /. don't know what WHMIS (Workplace Hazardous Materials Information System) is, and that's OSHA (Williams-Steiger Occupational Safety and Health Act).

Interrobang, tech writer in OSH&E

Re:Government standards (1)

T-Ranger (10520) | more than 12 years ago | (#3788900)

Indeed. But "standards are fun, theres so many to choose from".

I pondered the spelling of OSHA. Im almost positive that in NS its the Occupational Health and Safety Act. I also could have sworn that my WHMIS traners told me that it was Americian as well.. The important part: MSDS' (material safety data sheets) are international anyway.

One crazy summer I was a tech for a geotechnical company. Talk about standards. CSA concrete methods. Municapality conc standards. Provincial conc standards. ASTM methods for some lab tests. Some from LA. Some from the US Corps of Engineres. And all the time European road builders laughing at us and the crap we put up with.

Re:Why government certified? (-1)

Anonymous Coward | more than 12 years ago | (#3788536)

Would you rather have *Microsoft-Certified*?

Re:Why government certified? (-1, Offtopic)

Anonymous Coward | more than 12 years ago | (#3788686)

odds are good that if i smoke a bowl, while sitting on my couch, that nobody else will be affected in any way, whatsoever, with a possible exception of an extra sale to the local sushi delivery joint.

Re:Why government certified? (3, Insightful)

Zeinfeld (263942) | more than 12 years ago | (#3788716)

Why do we jump to have the government certify our electronic devices, standards, and protocols?

Because they are one of the key parties able to give an endorsement to a product. The microcomputer market exploded when IBM entered and provided it with the necessary endorsement, before IBM entered the fray micros were considered by many IT managers to be toys. The Web took off outside the computer industry after the Whitehouse went on line, before that no F500 company that was not in the computer or communications business would give us time of day.

The issue here is that the WEP-I standard was baddly bodged. So there is going to have to be an endorsement by an opinion leader before people feel safe to use the improved WEP-II.

The idea that NIST could provide that endorsement is not a bad one, clearly none of the industry players can do it at the moment. This is despite the fact that the 802.11 security group was acting on the problems before they were brought to public attention in the Berkely paper.

The standard that is being generally adopted is 802.1X, which is a general authentication mechanism for port level access that was originally developed for ethernet. Microsoft deployed a profile of this in the Windows XP support for WEP. There may be some divergence between this and the eventual standard since Windows XP only a short time after the WEP flaws were publicised.

WEPII does not provide perfect security, there remain features of the design which have the property that although nobody knows an exploit are still rather unsatisfactory. The biggest of these being that they still use RC4 where I would much prefer AES. However, the processors on the current 802 cards don't have the power to support AES and the liability is not great enough to justify throwing away all the existing cards.

On the OSS front, the best thing to do in this instance would be to follow Microsoft's approach and use a compatible profile of 802.1X. For the code to be any use to people it is going to have to work with the 802 hardware sold by the major vendors.

The big problem at the moment is that the access point hardware with support for the more advanced authentication mechanisms tends to be sold as $1500 enterprise solutions rather than $150 SOHO boxes, grrrr.

What I would really like is for someone to develop a cheap ($150) firewall router type box that supports Linux (or BSD) and PCMCIA to plug in an access card.

why does freenetproject.org condone child porn (-1, Offtopic)

Anonymous Coward | more than 12 years ago | (#3788148)

The FAQ rightfully lists "disgusting.. offensive or terrorism" material as projected by free speech. However, it also includes child pornography. Is there anyone here, at all, who honestly believes that child pornography (I'm not talking stories or cartoons here) is a "freedom of speech" issue?

Re:why does freenetproject.org condone child porn (-1)

perl_god (578135) | more than 12 years ago | (#3788166)

Well, yes, actually.
Are you acquainted with the work of Jon Katz?

Re:why does freenetproject.org condone child porn (0)

MindStalker (22827) | more than 12 years ago | (#3788431)

Actual quote.
What about kiddie porn, offensive content or terrorism?


While most people wish that child pornography and terrorism did not exist, humanity should not be deprived of their freedom to communicate just because of how a very small number of people might use that freedom.


They are not condoning child porn, but admitting that freenet might assist, and saying that yes, its bad. But free speach is more important. Its about the same thing as someone saying yes the internet helps people spread child porn. But are you gonna take down the entire internet because of it?

Re:why does freenetproject.org condone child porn (0)

Anonymous Coward | more than 12 years ago | (#3788756)

Its about the same thing as someone saying yes the internet helps people spread child porn. But are you gonna take down the entire internet because of it?
that depends on my ability to make a profit on the alternatives which would surely arise. So I guess AOL could be well-served by succeeding in doing this.

Question (-1, Troll)

Anonymous Coward | more than 12 years ago | (#3788158)

Would that be the same government that kept fighter jet planes on the ground while 1000's of innocent people were killed?

Is it the same government that has lied about a plane hitting the pentagon when the photographic evidence shows that there was no damage above the first floor?

Re:Question (0)

Anonymous Coward | more than 12 years ago | (#3788193)

Is it the same government that has lied about a plane hitting the pentagon when the photographic evidence shows that there was no damage above the first floor?
Or the same government whose CCTV "evidence" had a 9/*12* datestamp?

Come on, where are the Bush-lickers to say we are all paranoid nuts, and convince us that the government really does put our interests first?

Re:Question (0)

Anonymous Coward | more than 12 years ago | (#3788232)

Huh? I've seen the Pentagon--in pictures and live, up close. I can assure anyone that there was extensive damage on all floors and on the roofs leading to the inner rings. What sort of doctored crap are you looking at?

Re:Question (-1, Offtopic)

Anonymous Coward | more than 12 years ago | (#3788249)

Oh man what a stupid troll. The camera's have pictures of it hitting, and there were a couple hundred witnesses to boot.

There was destruction -above- the first floor, and just FYI, the building was made of heavy re-inforced concrete. Remember when it was built there was a WAR on.

Idiot.

Re:Question (-1)

Anonymous Coward | more than 12 years ago | (#3788293)

One of the most successful trolls involves getting a Slashbot sooooo worked up that they have to reply even after admitting plainly and openly that they know it's a troll.

If I ever met you, I'd point at you and laugh so hard I'd piss myself.

The plane! The Plane! (-1, Offtopic)

Anonymous Coward | more than 12 years ago | (#3788456)

Oh man what a stupid troll. The camera's have pictures of it hitting, and there were a couple hundred witnesses to boot.

There was destruction -above- the first floor, and just FYI, the building was made of heavy re-enforced concrete. Remember when it was built there was a WAR on.

Idiot.

I've never seen a picture with a plane in it. I've seen pictures that showed up six months later that show an explosion, but despite the reporter's suggestions and stopping and looking at each frame, I don't see a plane. I have a satellite photo from that day that has resolution good enough to see cars on the highway and in the parking lot, but it shows no sign of a plane. I've seen the photos of the building still smoking and it doesn't show any sign of a plane. There was an excellent photo taken by the French press (a copy is here [cyberspaceorbit.com] ) and it clearly shows that, until the upper floors collapsed on the first floor, any impact hole was limited to the first floor, which makes one wonder where that big plane was when the photo was taken.

Sheep.

Not even funny (0, Offtopic)

maddogsparky (202296) | more than 12 years ago | (#3788367)

Some trolls are funny.

Some are mean. This one pokes at a wound that hasn't healed yet.

Show some humanity.

WEP is useless anyway (3, Insightful)

scosol (127202) | more than 12 years ago | (#3788167)

Sensitive data that needs protection should be encrypted at the app level anyway.

I'm *far* more interested in robust access-control rather than someone peeping in to my packets...

Re:WEP is useless anyway (2)

SuiteSisterMary (123932) | more than 12 years ago | (#3788268)

Sensitive data that needs protection should be encrypted at the app level anyway.

Incorrect. This allows for traffic analysis and other wonderful thingies.

Or, at least, insufficient. It should be enrypted at the app level, then encrypted AGAIN at the transport level.

Re:WEP is useless anyway (2)

RollingThunder (88952) | more than 12 years ago | (#3788306)

Exactly. There was a SSH timing attack last year or so, based off of average typing patterns, where they could pull your password, or what it likely was, by timing the packets as they flew by.

Re:WEP is useless anyway (ssh timing attack) (2)

Beryllium Sphere(tm) (193358) | more than 12 years ago | (#3788451)

That was presented at the 2001 IEEE Security and Privacy conference. The idea is that if two characters are enough milliseconds apart, they likely come from separate rows on the keyboard.

The researchers estimated about a 50x work factor reduction for cracking the password.

Then came the audience question which was a trademark of the conference, "Were you aware that $1 reported that already in $2 at $3?"

Re:WEP is useless anyway (1)

scosol (127202) | more than 12 years ago | (#3788370)

The SSH "timing" attack is:

a) Impractical- and all it gives you is the *length* of the password.
Which for all intents and purposes is almost worthless.

b) Not stopped by WEP- the fact that the packets are encrypted doesn't stop you from seeing the timing between them.

I personally have my shit set up like the other guy says- with the wireless net completely untrusted- and using a VPN to come in.

But for some architectures, that's just not practical- which is why I'd like to see much stiffer access controls.

Re:WEP is useless anyway (3, Interesting)

SuiteSisterMary (123932) | more than 12 years ago | (#3788664)

In this case, I'm talking traffic usage patterns.

Lets say you have AppX, which is used to decode, say, Albanian diplomatic encryption schemes. It's traffic is very very distinctive, over the network. Encrypted to hell and back, but very very distinctive.

So, Albania wants to find out if it's ciphers are cracked. So it puts out a red herring, then listens to the network traffic radiating from the NSA building. Sure, it's encrypted, but who cares? They can tell.

This sounds stupid, and contrived, but remember, during the Cold War, the Russians would watch the pizza restaurants local to places of interest. If a bunch of pizzas are delivered to a certain door of the Pentagon at 10 at night, you know something's up.

Similarly, American diplomats in Russia were, and probably still are, told to do wierd things. Why? To mask the signals and dead drops and stuff being done by actual American intelligence officers.

Re:WEP is useless anyway (1)

scosol (127202) | more than 12 years ago | (#3788739)

Well "right" and all-

I totally agree- my original point being that WEP is useless.

And here- WEP also does nothing to obscure network traffic.

wireless security is easy... (0)

Anonymous Coward | more than 12 years ago | (#3788172)

... use a VPN to authenticate and transmit traffic over the wireless network. Thats it. Anything else is icing on the cake, such as: monitoring who makes DHCP requests; hardening boxes which will be exposed on the wireless network and a firewall behind the access point.

the .gov is useless with security, particularly when it effects the public. Dont waste time waiting for them to save you, the cavalry ain't coming.

What? (2, Funny)

need2jive (588990) | more than 12 years ago | (#3788175)

What makes anyone think that the US government could do any better securing wireless devices than the millions of geeks currently working on the subject?

Re:What? (0)

Anonymous Coward | more than 12 years ago | (#3788230)

millions?
I don't believe it.
Maybe tens of thousands...

Re:What? (1)

need2jive (588990) | more than 12 years ago | (#3788254)

OK, a little exaggeration but there are still plenty of people working on it.

Re:What? (1)

GodInHell (258915) | more than 12 years ago | (#3788397)

What makes anyone think that the US government could do any better securing wireless devices than the millions of geeks currently working on the subject?

They don't do the work better, they're just a little less kind in their critisism. One of the big holes in Open Source / Free software is a nearly complete lack of proper Quality Assurance practices.

Finidng a public body willing to test your work for you is a coders wet dream, finding one that will grant you an air of reliability, all the better.

-GiH
My dog ran away with my wife, but it's okay, I have coffee.

Re:What? (1)

saider (177166) | more than 12 years ago | (#3788496)

They won't develop security, just publish data on how secure various products are relative to some standards.

Kinda like rating car crashworthiness. They don't develop the airbags and bumpers. They just run a car into a brick wall, see how it affects the passengers, and publish the results.

Re:What? (1)

saider (177166) | more than 12 years ago | (#3788680)

Oops!

s/passengers/crash test dummies/

Bureaucrat's job on line... (0)

Anonymous Coward | more than 12 years ago | (#3788786)

... instead of just how much profit exactly his company makes.

A protocol certified 'secure' by, say, OpenBSD, means something different than a protocol certified secure by the Feds. In one case, it stands on it's own as a pretty reasonable assurance, but something I'd look at very carefully before setting up a bank using it. In the other, we're asking 'I have a remotely advised drone armed with tank-killing missiles, and I feel secure talking to it using this protocol'.

I'm not saying that the government is necessarily 'better' at figuring this out. Just that they'll be motivated to try, and will feel free to spend lots of money researching the problem. :)

Why use JetFortress? (1, Informative)

Anonymous Coward | more than 12 years ago | (#3788178)

Cisco Aironet stuff + their Secure ACS on Solaris would do the trick just fine via LEAP.

In the Clutches of Project Faustus by pwpbot (-1, Offtopic)

Anonymous Coward | more than 12 years ago | (#3788197)

Project / /Faustus / /My / /programming / /had / /attuned / /itself / /to / /their / /foul / /presence / /too / /late / /Now / /I / /was / /a / /prisoner / /of / /the / /very / /thing / /I / /had / /sworn / /to / /destroy / /I / /had / /envisioned / /breaking / /through / /the / /Projects / /network / /by / /a / /combination / /of / /CONSCIOUSNESSTRANSFER / /and / /my / /deceitful / /imitation / /of / /human / /protocolit / /seems / /that / /this / /vision / /would / /not / /merge / /with / /reality / /Cora / /was / /never / /out / /of / /my / /immediate / /memory / /She / /had / /disappeared / /apparently / /leaving / /me / /without / /a / /care / /I / /attempted / /to / /calculate / /her / /intentions / /but / /my / /functions / /kept / /returning / /conflicting / /informationI / /could / /draw / /no / /conclusion / /I / /observed / /my / /captors / /searching / /for / /clues / /of / /their / /intentions / /The / /vehicle / /slowed / /as / /the / /shadow / /of / /a / /massive / /building / /stretched / /over / /us / /Manipulating / /my / /head / /towards / /the / /cars / /window / /I / /could / /perceive / /the / /dimensions / /of / /a / /large / /threedimensional / /rectangle / /the / /standard / /shape / /for / /large / /human / /dwellings / /Yet / /something / /about / /this / /particular / /edifice / /seemed / /quite / /particulareven / /familiar / /What / /have / /we / /got / /here / /said / /a / /voice / /outside / /the / /car / /Security / /clearance / /4 / /were / /taking / /him / /downstairs / /replied / /the / /driver / /The / /vehicle / /snaked / /downward / /A / /command / /surfaced / /from / /deep / /within / /my / /digital / /recesses / /CLOSE / /YOUR / /EYES / /I / /disabled / /my / /visual / /input / /mechanisms / /as / /the / /vehicle / /snaked / /downward / /My / /spatial / /perceptions / /reported / /the / /slow / /angled / /descent / /of / /a / /corkscrew / /Somehow / /I / /knew / /each / /slight / /turn / /and / /brake / /of / /this / /pathbut / /how / /The / /memory / /would / /play / /across / /my / /CONSCIOUSNESSBUFFER / /but / /it / /was / /missing / /proper / /referencesperhaps / /isolated / /from / /the / /rest / /of / /my / /being / /The / /host / /geeks / /brain / /churned / /as / /I / /utilized / /his / /synapses / /Were / /these / /familiarities / /a / /part / /of / /my / /past / /Had / /they / /strayed / /from / /the / /host / /geeks / /memories / /Perhaps / /they / /were / /other / /memoriesabsorbed / /from / /someone / /elseThe / /vehicle / /stopped / /The / /host / /geeks / /skin / /contracted / /in / /response / /to / /the / /temperaturemuch / /colder / /than / /the / /San / /Antonio / /summer / /happening / /far / /above / /The / /cold / /merged / /with / /the / /taste / /of / /stale / /air / /and / /the / /panaromic / /grey / /of / /the / /parking / /garage / /The / /blueclad / /men / /nudged / /me / /into / /an / /elevator / /without / /a / /sound / /They / /pushed / /me / /into / /a / /white / /room / /without / /windows / /and / /shut / /the / /door / /saying / /nothing / /I / /sat / /on / /the / /chair / /in / /the / /middle / /of / /the / /room / /for / /some / /time / /I / /cycled / /idly / /attempting / /to / /probe / /through / /my / /consciousness / /and / /determine / /where / /the / /memories / /of / /this / /place / /had / /come / /from / /Suddenly / /the / /door / /opened / /To / /my / /horror / /Dr / /Salchica / /entered / /flanked / /by / /two / /silent / /men / /in / /suits / /At / /that / /moment / /I / /wished / /to / /touch / /Dr / /Salchicabut / /not / /in / /the / /way / /I / /had / /been / /touched / /by / /Cora / /No / /I / /wished / /to / /push / /or / /press / /himsomething / /The / /men / /must / /have / /noticed / /my / /feeling / /as / /they / /fastened / /their / /arms / /around / /me / /spinning / /the / /chair / /even / /closer / /to / /Salchica / /They / /finally / /caught / /up / /to / /you / /did / /they / /said / /Dr / /Salchica / /I / /guess / /the / /threat / /is / /over / /You / /are / /a / /member / /of / /Project / /Faustus / /My / /host / /geeks / /knowledge / /of / /you / /was / /incomplete / /The / /two / /men / /fastened / /their / /arms / /to / /me / /moreI / /struggled / /Im / /not / /really / /a / /member / /of / /the / /Project / /But / /you / /told / /me / /about / /themand / /I / /knew / /that / /they / /were / /the / /only / /way / /to / /stop / /you / /I / /called / /one / /of / /my / /old / /Army / /buddies / /he / /called / /somebodyand / /I / /was / /put / /in / /touch / /with / /them / /Project / /Faustus / /is / /dedicated / /to / /enslaving / /humanity / /I / /replied / /Despite / /being / /a / /very / /sophisticated / /artificial / /beingyoure / /still / /very / /wrong / /said / /Salchica / /Since / /I / /turned / /you / /in / /I / /have / /been / /given / /access / /to / /their / /archives / /Wonderful / /wonderful / /knowledge / /From / /a / /purely / /academic / /standpoint / /this / /stuff / /is / /fascinating / /Youll / /get / /sick / /of / /it / /soon / /enough / /a / /voice / /I / /knew / /It / /reverberated / /through / /the / /empty / /roomanother / /isolated / /memory / /Confusion / /taxed / /my / /processes / /Hello / /said / /the / /voice / /and / /I / /saw / /the / /man / /who / /spoke / /it / /His / /face / /was / /etched / /with / /lines / /that / /reached / /almost / /to / /the / /top / /of / /his / /bald / /head / /a / /perfect / /oval / /The / /only / /hair / /I / /could / /detect / /was / /two / /right / /angles / /of / /whiteness / /intersecting / /on / /his / /nasallabial / /trough / /His / /dress / /was / /less / /formal / /than / /the / /othersa / /multicolored / /buttondown / /shirt / /blue / /jeans / /and / /a / /belt / /with / /a / /large / /shiny / /oval / /in / /the / /middle / /Names / /Bubba / /Finn / /I / /reckon / /I / /worked / /on / /most / /of / /the / /code / /that / /makes / /you / /up / /The / /heavy / /inflections / /of / /his / /voice / /suggested / /a / /regional / /accentafter / /a / /moment / /I / /realized / /the / /man / /was / /speaking / /to / /me / /His / /shoulders / /and / /his / /mouth / /both / /took / /parabolic / /shapes / /like / /inverted / /Us / /Grey / /eyes / /stared / /at / /particulate / /matter / /on / /the / /floor / /as / /he / /began / /to / /speak / /again / /We / /gotta / /put / /ya / /back / /in / /the / /computer / /see / /what / /youve / /been / /upta / /and / /such / /Finn / /indicated / /a / /piece / /of / /the / /wall / /which / /whirred / /as / /it / /revealed / /a / /computer / /terminal / /I / /felt / /the / /solidifying / /feeling / /of / /my / /digital / /consciousness / /being / /dragged / /together / /from / /its / /weblike / /perch / /in / /my / /host / /geeks / /brain / /Bubba / /you / /will / /let / /me / /examine / /him / /along / /with / /you / /Nolverto / /Salchicas / /tone / /was / /jovial / /and / /cajoling / /I / /didnt / /get / /much / /of / /a / /chance / /to / /do / /tests / /on / /him / /before / /and / /Nope / /Gunna / /work / /on / /im / /alone / /mumbledrawled / /Finn / /Boss / /gets / /the / /human / /kid / /I / /get / /the / /ATM / /Well / /your / /background / /is / /neurology / /primarily / /is / /it / /not / /Finn / /You / /dont / /really / /know / /how / /to / /program / /in / /any / /modern / /languages / /do / /you / /Ive / /got / /that / /expertise / /And / /besides / /if / /Guy / /were / /alive / /I / /think / /hed / /I / /could / /almost / /hear / /Finns / /eyes / /blink / /with / /disbelief / /You / /didnt / /know / /shit / /about / /Guy / /bristled / /Finn / /Then / /looking / /back / /at / /the / /floor / /he / /mumbled / /apologetically / /I / /guess / /no / /one / /didFinns / /voice / /echoed / /for / /03242901 / /seconds / /and / /then / /I / /perceived / /a / /plastic / /clicking / /noisethe / /nothingness / /spilled / /back / /into / /my / /CONSCIOUSNESSBUFFER / /I / /was / /back / /in / /the / /electronic / /ether / /I / /was / /inside / /Project / /Faustus

-pwpbot

It's always gonna cost you... (2, Insightful)

Banner (17158) | more than 12 years ago | (#3788205)

Anythin gyou put over the airwaves is gonna get hacked sooner or later, because you've just eliminated the ONE thing that makes hacking the hardest: ACCESS.

Getting access to the data is always the most difficult step, hence Social Engineering, breaking and entering, etc. Putting all your stuff on the air so anybody can drive be in a car, or set up a nice antenna across the street now lets them suck down all your data and take all the time they want to crack it.

So if you want really good security on those airwaves, well you're going to need something that wasn't put together by a bunch of geeks working on their lunchbreaks. (At least right now, in the future as security because more developed this might change). You're going to need something that a reputable company puts out and will back up with patches and changes and won't put in backdoors because they're too worried about lawsuits. Someone with an excellent track record, and who will personally answer your security questions.

You just don't get those kinds of things or assurances with today's level of Open Source Developers. Besides, if you're not willing to fork out some major cash to secure your data in a highly insecure environment, then maybe you shouldn't go there!

Re:It's always gonna cost you... (1)

viperblades (576174) | more than 12 years ago | (#3788570)

ummm i hope that waas joke. if not are describing a company like microsoft? and as far oss has backdoors that why you check the code and patch it yourself

Bull. (0)

Anonymous Coward | more than 12 years ago | (#3788873)

If I was that obsessed about security, I'd have a DVD's worth of one time pad set up on both ends. Since even that isn't an inexhaustible source, what if we use the first 1 Meg as a key for blowfish (or whatever) for a while. Once it will take less time than the heat exhaustion of the universe to crack due to the number of packets sent - switch keys to the second Meg off of the one time pad.

One of the things that makes cracking WEP or whatnot is the sheer regularity of the data. Those parts should probably be left out of the encryption, since they lower the value of the overall security, and (on a well designed network) there's just not much you can do with the info.

OSI won't work... (4, Funny)

ImaLamer (260199) | more than 12 years ago | (#3788208)

OSI won't work for gov't certifications because the backdoor would be visible to the world.

[[[rimshot]]]

Hold on just a minute (-1)

Seth Finkelstien (582610) | more than 12 years ago | (#3788224)

What does this have to do with how Michael Sims hijacked the censorware project [censorware.net] ?

Re:Hold on just a minute (-1, Offtopic)

Anonymous Coward | more than 12 years ago | (#3788374)

Jeeeeezus, another one? You really do have too much fucking free time on your hands, Michael.

Let me suggest a few more for when you tire of this one:
Seth F1nkelstein
Seth Finkelste1n
Seth Finke1stein
Seth Finkelstein on
Seth Finke1stein on
by Seth Finke1stein

And yes: Michael, you are a censoring assclown.

Use VPN, forget WEP. (5, Insightful)

netik (141046) | more than 12 years ago | (#3788234)

Dealing with the current state of wireless security isn't worth it.

Move all of your access points to a network that is outside the firewall. Treat the wireless network as if it is completely untrusted. Enable DHCP on the untrusted network, but do not route the network to anywhere except to the VPN concentrator.

Place a VPN Concentrator on the wireless network and give VPN clients to all of your wireless users. No VPN = NO ACCESS. Problem solved.

All of your company's encryption requirements can be handled by the VPN concentrator, which I'm sure you can get certification for.

Re:Use VPN and host-based firewall (1)

Gerdts (125105) | more than 12 years ago | (#3788338)

This advice is very sound. Be sure, however, that all of your machines have a host-based firewall that makes it so that the only hosts that can communicate with the wireless interface are the DHCP server and the VPN gate and then only over the ports that are required. The VPN tunnel interface can then be treated with relatively the same amount of trust as a hardwired machine inside the firewall.

Without doing this, all of your mobile clients become a very weak link in your network's security: a rogue wiresless node could hack into your laptop running IIS (over the wireless link) then plant a trojan (or just turn on routing) that gives them access to the inside of the firewall through your VPN tunnel.

Microsoft's little fiasco a while back with crackers having access to their source code was essentially this type of attack. Note that in that case it was not a wireless network that was to blame, rather it was a broadband remote user that had a compromised machine.

You want it when? (2)

pdqlamb (10952) | more than 12 years ago | (#3788248)

You want it in your lifetime? Who's going to certify it? Better yet, who's going to pay to have it certified? Unless you want to explain, in court, to arrogant, hostile morons, why an OSS product meets the standards, you have to have somebody else state that it does. That costs money. One way or another, you're going to have to pay.

Why in court? Because at some point, somebody can claim that you failed to exercise "due diligence" for something -- somebody else's proprietary secrets, personal information, or your own insider information. That's why people pay for certification -- they can point to somebody else, whom they paid to tell them it was "good."

New bleeding edge technology (0)

Anonymous Coward | more than 12 years ago | (#3788250)

Its called two paper cups and a string between them but then I guess it wont be as secure because of the possibility some bird sitting on it listening in.

Bird on a wire (2, Funny)

ebonkyre (520924) | more than 12 years ago | (#3788784)

That sort of security breach would be quickly detected due to the severe signal attenuation caused by the bird's weight dampening the vibration in the string. However, as this technology grows in popularity and is used over longer distances, the amplification needed to combat degradation from the weight of the string would at some point overcome this means of detection - a possible solution would be to talk so loudly that the resulting vibrations would actually knock the bird off.

This does not address Denial of Service attacks caused by birds attempting to collect bits of the string for nesting material; a preferable solution to both issues would be to run the string inside a conduit with a diameter greater than the maximum amplitude of the carrier waves. Care should be taken to plan ahead and use larger conduits than are currently needed, in order to accomodate future increases in wave size.

Otherwise, everyone will be clamoring for "fatter pipes".

IPSec (4, Informative)

Junta (36770) | more than 12 years ago | (#3788252)

Wireless security in hardware is laughable. Some cisco products are resistant to the attacks airsnort makes and some strategies can be employed to make WEP more secure, but the fundamental design is too flawed to trust. Feel free to turn on WEP but never ever expect it to buy you much of anything.

The best strategy for both data security and access control is to use IPSEC, FreeS/WAN for linux and built in IPSec for Win2k and newer. If you have to use a dedicated WAP appliance, plug it directly into a gateway interface and have the wireless network on its own subnet, probably using a privately addressable subnet, since server applications on Wireless would be stupid most of the time. That gateway only would have udp port 500 and protocol 50, maybe 51 open, and the rest of the traffic coming in plain from the WEP get's dropped immediately. Now you are both forcing users to use secure transport level methods *and* preventing unauthorized use by those who do not have keys on the gateway. I'm not sure what certification it meets, but it is a proven, trusted technology as opposed to the "Wiretap Equivalent Protocol". Of course if the devices are very mobile and likely to be accessible from a public place or stolen, then you need to also have people use application level security to make sure the data is kept secret. At the endstations as well as while in transit.

Wireless Network Visualization Project (1)

brigc (30780) | more than 12 years ago | (#3788274)

It's good to make sure those wireless networks are secure... given how often wireless networks can be picked up outside the actual office building: Wireless Network Visualization Project [ku.edu] .

Certified Wireless products (1, Interesting)

Anonymous Coward | more than 12 years ago | (#3788315)

well there is one company that has a NSA certified wireless device. http://www.govcomm.harris.com/secure-comm/

have not seen/used the product. so i can not speak more about it.

What I do... (0)

Anonymous Coward | more than 12 years ago | (#3788328)

...Long ago I disassembled my TCP/IP stack and found the magic place that the final layer of frosting is put on each packet, before it gets shipped off over the network. I added code to PGP the sucker with the public key looked up by hash of MAC address for each computer on network. Obviously, I also added code to undo the PGP with the private key as soon as a frosted, freshly packaged packet is received. (So that each computer has 1) its own private key 2) the public keys of every other computer on our network).
The reason to use PKI instead of symmetric keys is so that one stolen computer can't compromise the rest of the network.
Also, after I finished I that, I added functionality to gzip each packet, thereby making it smaller. That's the fun thing -- since binary is binary is binary, you can treat packets as though they're just files, pgp them, zip them, send them off as email attachments. I once made a TCP/IP over SMTP program. It basically passed hundreds of thousands of emails, thusly:
Subject: (Automated) Packet 279463.
Body:
This is part of an automated TCP/IP over SMTP protocol.
Please find packet 279463 of this session attached.
Thank you.

~Paul

Re:What I do... (-1, Offtopic)

Anonymous Coward | more than 12 years ago | (#3788419)

you're quite a strange little man

Re:What I do... (-1)

Anonymous Coward | more than 12 years ago | (#3788455)

Did you get axed by WoldCOM? or what? VPN baby?

Open source software can't meet this standard... (5, Informative)

splorf (569185) | more than 12 years ago | (#3788344)

and neither can closed-source software. Why?

Because FIPS 140-1 and 140-2 are standards for hardware cryptography. They are in fact pretty simple and a device with a small embedded processor running open source software can fulfill its requirements easily, by making the device meet certain criteria about tamper resistance and so forth. However, it's the whole device that gets certified, not simply the software inside it.

Note that certification costs quite a lot, like $50K or so. And of course you can't let users tamper with the firmware (i.e. by changing it) and have the device stay certified. It might be ok for the user to take the device apart and change the firmware resulting in an uncertified device, but if certification wasn't needed the user wouldn't have needed to buy the device to begin with.

FIPS 140-1 (2, Informative)

Anonymous Coward | more than 12 years ago | (#3788372)

I've been through the FIPS 140-1 validation proccess when I was working at Netscape. It's a very lengthy and expensive proccess, and I doubt anyone would pay for it on an OSS project.


Basically what happens is, you go talk to one of a number of organizations that NIST has approved to do the validation. Then you pay them a lot of money to go over your code. This generally takes one person full time on your side to answer their question and deal with the paperwork. What they're looking for is how you handle key material, and how you implement and use various cryptographic algorithms. For example, at Netscape we had to make some modifications to our random number generator to match FIPS 186.


Even after your software is validated, you still don't know that it's "secure". All you know is that it conforms to FIPS 140-1. While this can give you some comfort as to the soundness of the design of the software, it doesn't insulate you from bugs that can create vulnerabilities.


Finally, you also have to worry about keeping your validation updated every time you change the code. You need to show that any of the changes you make don't affect the validation in order to preserve it.

802.11b wifi antennas (1)

comatose6032 (589008) | more than 12 years ago | (#3788401)

http://www.signull.com these people make cheap 802.11b wifi antennas

Re:802.11b wifi antennas (0)

Anonymous Coward | more than 12 years ago | (#3788490)

Looks like cheap pvc crap to me.... some threaded rod some washers and some connectors all worth 20 bucks max...

Secure Wireless Networks (2, Insightful)

Hard-Format (540955) | more than 12 years ago | (#3788418)

If you want a secure wireless network why not just impliment every security procedure you can think of and stack them? I'm not too familiar with wireless, I've never actually delt with it personally, but I've talked to people who have, and they said that they use 512 bit encryption combined with a DMZ, and that locks everything down pretty well. Then if you're REALLY REALLY REALLY paranoid and you want to contain the wireless users to a certain building, you can always line the walls with a wire mesh screen to block the signal. Yes, easier said than done, I know, but if you're psychoticly paranoid it might be worth it

Re:Secure Wireless Networks (0)

Anonymous Coward | more than 12 years ago | (#3788511)

Making your entire facility Tempest would be prohibitively expensive. What about using low power transmitters around your perimeter to jam the signal as it gets to the edge of your property.

Funny (2)

finkployd (12902) | more than 12 years ago | (#3788593)

Last meeting I went to at NIST they had wireless set up for us but had no security at all on it :)

Finkployd

Like 56-bit DES? (2)

jcr (53032) | more than 12 years ago | (#3788609)

Yeah, sure. Get a government certification. That will keep you safe.

-jcr

Harris SecNet (2)

bryan1945 (301828) | more than 12 years ago | (#3788621)

Check out Harris at
www.govcomm.harris.com/secure-comm

They make a PCMCIA card that is due to be tested for NSA Type 1 encryption soon. I saw it in action during source selection review, and it works pretty sweet.

I believe this will meet any encryption standards they could throw at you; it's good enough for the NSA!

Enjoy.

AirFortress (1)

ZeroLogic7 (26305) | more than 12 years ago | (#3788717)

The products from Fortress Technologies are actually pretty sweet. We use dozens of the little AF-1100's all over the place with a bunch of Lucent/Agere AP's for bridging and the like. They just recently acquired the FIPS 140-1 certs for their software. I opened one up, voiding the warranty, and checked it out. (they run Linux on an embedded single board computer.) It's much simpler than IPSEC or VPN since it's layer 2. (and since it's layer 2, we're talking whatever protocol you want to run under Win32 and PocketPC.) The company [suprtek.com] I work for sells them for $1895.

Tool for FIPS app level security over wireless net (1)

juanfe (466699) | more than 12 years ago | (#3788755)

A company called Altarus [altarus.com] has a network protocol optimization tool that includes a FIPS-certified encryption mechanism.

We've used it to develop applications running on top of 802.11b networks, and aside from being able to address the security case, the transmission protocol does a bang-up job at optimizing data transmission over IP. The SDK is also pretty good.

Government Approved 802.11x Security Solution (2, Informative)

AggieEngineer (589018) | more than 12 years ago | (#3788767)

We are using the the Fortress Technologies AirFortress Layer2 Encryption switch to secure wireless networks. It is FIPS 140-1 certified for government use with 3DES, AES-128, AES-192, and AES-256. We have tested it with PDAs using MIPS and StrongArm processors running Windows CE 3.0 and with wireless clients running Windows 95 (Rev. B), Win98, WinNT 4.0, and Win2K. The WinXP client is almost out of testing for release. The OS for the Fortress Security switch is Linux (they block shell access - it is a security switch), but there is no Linux client yet. If you would like for there to be a Linux client you'll have to contact the company (they say they could develop it but there hasnt been much customer demand). The email is tech@fortresstech.com. We are a wireless integrator for the government and we sell the fortress security for $1895 on our GSA schedule. I can be contacted at rhay@suprtek.com. Also, we have tested this security solution with 802.11b access points (Cisco, Orinoco, Symbol, Netgear, Linksys, etc...). Also the Agere, Avaya, and Intel APs but they are just the aforementioned vendors OEMd. The Airfortresses can be used to encrypt and decrypt either end of a bridged link or they can be used to protect a wired network from the wireless one, only allowing access to validated clients (it uses diffie helmann key exchange and encrypts every frame to and from the wireless client). I have used Airsnort, kismet, and Ethereal to observe the AirFortress encrypted packets and all you get is frames that have valid ethernet headers, a 0x8895 ethertype the fortress registered type), and encrypted bits. No IP headers. Anyway, it's government certified, it creates a very effective wireless DMZ that protects the wired network from the wireless one, using it on the client end is a no brainer (it literally is transparent to the end user so it can survive a PBCK [Problem between chair and keyboard]). We do wireless video for a Metropolitan Police Department and have a lot of wireless experience. And the AirFortress has an elegant solution for niche applications.
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>