Until very recently the federal government has maintained a moratorium on the use of WiFi technology because of worries about its security. This is beginning to change. Last week we reported that the super-hush-hush National Security Agency has selected Harris' SecNet 54 Secure Wireless Local Area Network for deployment. This week Aruba Networks has become the first vendor certified by the National Institute for Standards and Technology (NIST) as having achieved Federal Information Processing Standards (FIPS) 140-2 level 2 validation for IEEE 802.11i WLAN systems. More precisely: Other vendors offer FIPS-validated point products or systems which are proprietary, but Aruba is the first, and so far only, vendor to offer an integrated system for the federal marketplace, including wireless intrusion detection and prevention, FIPS-validated Layer 2 and 3 encryption, and proven transition to FIPS 140-2 approved 802.11i. The NIST certification will allow Aruba to provide secure WLANs to the U.S. federal government using the IEEE 802.11i standard.
FIPS has been mandated by Homeland Security Presidential Directive 12 (HSPD-12), issued in August 2004 with the aim of bolstering the security of government-wide communication. The primary objectives of HSPD 12 are the development and deployment of a federal government-wide common and reliable identification verification system which will be interoperative among all government agencies and serve as the basis for reciprocity between those agencies. The NIST Computer Security Division responded to HSPD 12 with the initiation of the Personal Identity Verification project and the establishment of a new Federal Information Processing Standard (FIPS).
802.11i is a WLAN security standard which improves the security of WLAN communications when operating in the FIPS-approved Robust Security Network mode. New WLAN policies from the Department of Defense will likely mandate that all network infrastructure and clients used by the federal government in unclassified wireless environments must be FIPS 140-2 approved for 802.11i. The government is now evaluating Commercial Off-the-Shelf technologies, such as 802.11i.
Aruba's mobility systems integrate wireless intrusion detection and prevention, VPN, stateful user firewalls, advanced cryptographic encryption and on-demand client integrity. In addition, Aruba also provides EAP-offload capability in its FIPS-validated software. This is important, since EAP-offload allows sensitive authentication and key management transactions to be completed within the secure cryptographic boundary of the centralized mobility controller; they do not need to be transmitted as clear text or using weak encryption algorithms between the mobility controller and an external RADIUS server. Alternately, Aruba also secures EAP-capable RADIUS servers by providing RADIUS-over-IPSec functionality as recommended by RFC 3579.