|
|
 |
|
|
|
|
|
|
|
|
 |
|
OPEN WIDE? J9’s Derek
Krein says the WLAN gateway soon will recognize if a
user is off-site and open with more
restrictions.
(Image: Susan
Afsoosi) |
|
|
|
|
|
 |
| PROJECT at a
glance |
Who:
Joint Forces Command Joint Experimentation
Directorate (J9).
Mission: Build a secure
networking infrastructure to support the
directorate’s job of conducting transformation
R&D for the Defense Department.
What was: Prior to 2002, J9
operated like any other wired enterprise.
Researchers were tethered to desks in order to
access network resources and communicate with
one another.
What is: Many J9 researchers
and engineers no longer use desktop PCs at all.
More than 270 people access the network using
tablet PCs and J9’s secure wireless LAN. The
directorate has also deployed wireless
connections to network desktops in a new
facility. J9 employs a five-layer
defense-in-depth strategy to ensure the network
is totally secure.
Users: More than 400 J9
employees—roughly 50 percent of all users—access
information over the new WLAN. About 45 users
can take advantage of the network’s
voice-over-WLAN capabilities.
Impact: Overall, managers say
productivity is noticeably improved, and J9 is
confident its information is secure. J9’s new
all-wireless facility is a model of flexibility:
If the directorate moves out, the network goes
with it. And now J9 is sought out by various
government agencies to share its best practices
for building a WLAN.
Duration: J9 began working
with WiFi technology in September 2002. It
rolled out the network in phases, reaching its
current state by January 2005. The group
continues to add new users and capabilities.
Cost: Despite the intricacies
of J9’s secure WLAN, the group insists it cost
less to deploy than they had expected—about
$500,000. Now J9 is attempting to quantify the
network’s total cost of ownership, including
maintenance and management.
| |
| |
|
|
|
|
|
|
|
J9 has shared
its wireless defense-in-depth recipe with a
variety of agencies. The engineering team even
offers what it calls a Deployable
Experimentation Suite—basically a secure
wireless LAN in a box complete with hardware and
software, including secure clients—for
replicating its work on a limited scale. Over a
couple of years, the J9 wireless LAN team
evaluated several off-the-shelf products for
securing its WLAN. Today those technologies make
up five layers of protection.
Layer One: Separation. The
wireless network is kept completely isolated
from the wired network through a series of
separate Cisco Catalyst 3550 Power-over-Ethernet
switches connected to Cisco Aironet 1200 access
points.
Layer Two: Encryption. The J9
network uses Layer 2 encryption gateways from
Fortress Technologies Inc. of Oldsmar, Fla., to
protect data links and mitigate the risks of
broadcasting information. When it started out
with WiFi, J9 found its IPSec virtual private
network was broadcasting too much unencrypted
data, including IP addresses, NetBIOS traffic,
domain names and more. Thus the added
encryption.
Layer Three: Authentication.
Access to the wired infrastructure is controlled
by wireless gateways from Bluesocket Inc. of
Burlington, Mass. The Bluesocket WG-2100
gateways handle authentication and role-based
access control.
Layer Four: Intrusion
detection. J9 employs several wireless intrusion
detection sensors from AirDefense. The WID
sensors monitor airwaves for attacks or rogue
access points. The upcoming DOD wireless policy,
which J9 was consulted on, is expected to
require WIDS for WLAN deployments.
Layer Five: Security
management. J9 recently implemented lab wireless
management software from AirWave Wireless Inc.
of San Mateo, Calif., to further enhance
security by automating configuration management,
monitoring access points and client statistics,
among other things.
| |
| |
|
|
|
| GCN home
> 10/10/05
issue
10/10/05; Vol. 24 No. 30
Wizards of
wireless
By Brad
Grimes
GCN Staff
Defense experimentation lab builds
a model for mobile computing
Still straddling the fence on
whether to build a wireless network for your agency? Not sure if you
can secure it properly? No idea whether it’s cost-effective, or even
very useful?
Consider placing a call to the
Joint Forces Command in Suffolk, Va., where the Joint
Experimentation Directorate (J9) has built what is arguably the
government’s most secure and efficient wireless LAN. You wouldn’t be
the first to pick up the phone.
“Folks are really interested
in what we’re doing. They’re looking for documentation and how they
can mimic, in some ways, what we’ve done and use it in other areas,”
said Derek Krein, J9’s head wireless engineer.
To date, folks have called
mostly from other Defense Department agencies. Krein’s team has
briefed representatives from the Office of the Secretary of Defense,
the Defense Information Systems Agency, the Defense Intelligence
Agency and the Navy-Marine Corps Intranet. But it’s also shared its
wireless experiences with the Justice Department and the National
Security Agency.
“And we have a large
population of foreign liaison officers here at J9,” said Tony Cerri,
the directorate’s head of experimentation engineering. Recently, J9
detailed its secure wireless infrastructure for officials from
Germany, Singapore and Sweden. “It’s basically a cookbook,” Cerri
said.
The ingredients of J9’s
wireless LAN create what the team calls its defense-in-depth
strategy: five layers of security to protect information that
travels over J9’s wireless and wired networks.
Why five layers? Because when
it first started building a WLAN in 2002, J9 quickly learned that no
single product could provide adequate protection for an
enterprise-level network. And despite being an experimentation lab,
J9’s engineering team was in no mood to kick tires. It needed a
secure WLAN to support its daily mission.
“We don’t innovate, we’re just
solving problems,” Cerri said.
Today the WLAN supports more
than 400 J9 users in three buildings. Roughly 270 of those users
have adopted tablet PCs as their sole computing platform. Cerri said
he’s been pleased with the way people have embraced the new model,
which allows them to be more productive because they can access the
network from anywhere.
Savings and portability
What’s more, J9 has found the
WLAN to be a money-saver, despite the multiple layers of technology
involved. When it came time to network J9’s new Bridgeway facility
in Suffolk, the directorate saved 50 percent over the cost of
running wires to every desktop.
The new Bridgeway building is
100 percent wireless, and should J9 ever leave the building, the
WLAN can go with it.
With a secure WLAN in place,
J9 has been able to exploit the technology in other ways. Its new
Foundry facility is a small-lab environment that supports multiple
projects. J9 has set up the Foundry’s WLAN infrastructure so it can
be dynamically partitioned into multiple small, medium or large
networks that support 70 or more users, depending on need.
J9 also launched a
secure voice-over-WLAN system for intra- and interbuilding
communications. It currently supports about 45 users, and J9 is
expanding it to the 75-person maximum allowed by its licensing
agreement.
But not every wireless
initiative at J9 has gone smoothly. The team wanted to provide
streaming video over WiFi but might have to scrap those
plans—although not because of technical difficulties. J9 was looking
to roll out VX30 streaming software from a company called Maui
X-Stream Inc. of Lahaina, Hawaii. Earlier this year, members of the
open-source community accused MXS of incorporating open-source code
into its products without following proper licensing procedures.
“The lawyers came back and
said we could be held liable because we know about it,” Krein said.
(J9 now employs its own full-time lawyer to work on intellectual
property rights and other issues arising from JFCOM’s move toward
more open systems.) Not content with deploying a secure WLAN, J9 is
in the process of rolling out an array of technologies designed to
secure all types of mobile computing environments. Today the
directorate is testing a remote-access solution for reaching its
wired and wireless infrastructure using a Layer 2 policy enforcement
agent from Senforce Technologies Inc. of Draper, Utah.
WLAN knows where
users are
“It’s actually going to
recognize whether you’re on-site or off-site and apply the policy
accordingly,” Krein said. “If you’re on-site, it enforces [the
gateway], opens up the firewall a little bit and allows you to do
the things you need to do when you’re on-site. When you’re off-site,
it turns on a firewall, forces VPN usage, ensures that antivirus
software is up-to-date and ensures minimum patch levels.”
Krein said the remote
access solution is still in pilot mode and is almost ready for
deployment. As an added level of security for remote clients, J9 is
rolling out software from Mobile Armor LLC of St. Louis, which
performs whole-disk encryption.
“When you’re off-site, doing
remote access, if you have a lost or stolen device, it protects the
device with AES, FIPS-compliant encryption,” Krein said.
As one of J9’s on-site
tablet PC users, Cerri said the Mobile Armor is as critical inside
J9 as it is at remote sites.
“I oftentimes put my tablet
down just like I would a piece of paper and can’t remember where I
put the thing,” Cerri said. “It’s good to know something is locking
my machine up when I’ve gone and done the human thing and forgotten
about it.”
The products J9 is using for
remote access security are mostly off-the-shelf, but one innovative
solution is something J9 contracted to have specially built—silicon
chips that use radio-frequency triangulation to determine where,
exactly, an individual is accessing network resources from.
Engineers are trying to get the technology down to the size of a USB
key drive that can be worn around a user’s neck.
“It will allow us to verify
not only that a person is who he says he is ... but also that he is
where he says he is,” Cerri said. “We might grant him higher-level
access if we know he is coming in from a secure facility, or less
access if he’s sitting at a Starbucks.”
More news on related topics: Communications/Networking,
Mobile &
Wireless, Defense IT,
Management,
Project
Management
| |
![Government Computer News [liberty.postnewsweektech.com]](Wizards of wireless_files/gcn_smlogo.gif "Government Computer News [liberty.postnewsweektech.com]"){kind=small}