Aruba Networks has added National Security Agency (NSA) Suite B cryptography to its products, offering solid-enough wireless LAN security for government agencies and highly attack-prone enterprises.
Many IT leaders have distrusted wireless LAN security since hackers thoroughly cracked Wired Equivalent Privacy (WEP), the former de facto Wi-Fi security protocol. These IT pros haven't been won over by the industry's move to the 802.11i standard, Wi-Fi Protected Access (WPA2).
WPA2 has also been unacceptable to government agencies that have employees who must access classified data and communications, making mobility efforts at agencies like the U.S. Department of Defense and the State Department extremely difficult.
Most classified networks are built with proprietary technologies certified by the NSA that are usually five or six years out of date compared to the commercial technologies used for unclassified networks. To address this issue, the National Security Agency has been developing a new set of algorithms aimed at improving the ability of government agencies to share information securely and rapidly. NSA Suite B cryptography is the result of that project. By implementing Suite B in their products, wired and wireless network vendors can develop commercial grade products that meet the security standards of the NSA.
NSA Suite B cryptography: "Game changer" for high-security government agencies
The U.S. National Nuclear Security Administration (NSSA), the agency responsible for the management and security of the country's nuclear weapons arsenal, like most government agencies, has built air gaps, or physically separate networks, for its classified and unclassified data. For most of these agencies, the classified network, whether wired or wireless, is usually built with proprietary hardware specified and built by the NSA to meet security requirements. Often these agencies rely on physical security measures to limit access to these classified networks, such as locking devices in safes and vaults.
"It's not unusual to go into someone's office and see two or three computer systems and two or three sets of cables coming separately into the office, depending on what network they need to be working on. That's horribly inefficient. Just refreshing that equipment and keeping up with all those networks is hugely expensive," said J. Travis Howerton, chief technology officer at the NSSA.
But NSA Suite B cryptography could be a "game changer" for the NSSA. Howerton, who has a $1 billion budget, could reduce costs by 10% or 15% if he could just partially consolidate his networks using wireless technology. Also, a mobility strategy that depends on a secure wireless LAN could make employees more productive. Until now, his classified wireless LAN security requirements have exceeded what most commercial wireless vendors could provide. "Basically our mobility strategy today is the BlackBerry," he said.
Howerton wants to offer his employees more than that. He's looking at virtual desktop infrastructure (VDI) and mobility as ways to consolidate technology and improve productivity. He envisions using NSA Suite B cryptography to provide both classified and unclassified access to VDI through commercial grade smartphones and tablets.
"What we're looking at is how do we build a mobile infrastructure and not have to build it multiple times? With Suite B … maybe I can build out my wireless infrastructure once and support both [classified and unclassified] networks with the same infrastructure and cabling. The other piece we're trying to layer on to that … is desktop virtualization. If I can virtualize my desktop and have a thin device, I ought to be able to go to a Web portal and say, 'Which network do I want to go to, the [classified] side or the [unclassified] side?’ I should be able to click and go right through the appropriate environment knowing I'm on a thin client and nothing gets pulled down to the device."
Today, when NSSA engineers are dismantling or repairing nuclear weapons out on a shop floor, their access to procedural documents is limited. They have to leave their workspace and go to a document control center and examine the information there. With NSA Suite B encryption, the NSSA could mobilize that data, Howerton said.
"[With Suite B], mobile workers on my shop floor at our production sites could use an iPad or tablet device to pull down their virtual desktop and get the procedures they need in real time," he said. "The idea is to untether people from their desk, allow them to move wherever they need to be to do their job, and get the full suite of services that they would get from their desktop. The difficulty we have is this classified component, which has always historically been very limiting to us. With Suite B we can bridge that gap."
NSA Suite B cryptography: An answer to enterprise wireless LAN security naysayers
Aruba is offering NSA Suite B cryptography through a software upgrade on its wireless LAN controllers and its Virtual Intranet Access (VIA) agent software, a hybrid IPsec/SSL VPN client. Suite B will cost most customers about $100 per licensed user, up to $200 in the smallest deployments, according to Dave Logan, vice president of government solutions for Aruba. With Suite B available on the VIA client, Aruba customers can secure both wireless LAN access and remote access, he said.
Other networking vendors, both wired and wireless, are sure to follow with NSA Suite B cryptography support on their own products. Fortress Systems, which specializes in providing wireless networks to the Department of Defense, already offers Suite B. Howerton said he has spoken with Cisco Systems about its Suite B roadmap, too. Today Cisco has a Suite B implementation available in its VPN products.
NSA Suite B cryptography could ease the concerns of those who are still skeptical of wireless LAN security in the post-WEP era.
Logan said enterprises in industries that are subject to specific intrusion threats, such as financial services, oil and gas production and online gaming, might all find NSA Suite B cryptography appealing.
"If you've been holding off on wireless because you've been concerned about security—and I know people even today who still hold that opinion—[Suite B] ought to put that to bed once and for all," said Craig Mathias, principal at Farpoint Group. Mathias estimated that 10 to 20% of enterprises remain skeptical of wireless LAN security. Some of those companies have deployed wireless to some extent, but security is a constant worry for them.
"They've simply felt that because wireless signals can travel arbitrarily over some distance, that they could be intercepted and decrypted," he said. "In reality, WPA2 is pretty secure. If you layer that with 802.1x for authentication and VPN for upper layer security, that's even better. But what exists in Suite B is even better. It's elliptical curve cryptography, which is what the BlackBerry has been using all these years. If this isn't good enough for you, I don't know what would be. Encryption has gotten to the point where the NSA is blessing [Suite B cryptography] and that says something because those guys are very, very tough."
Let us know what you think about the story; email Shamus McGillicuddy, News Editor.