Shows & Panels
- AFCEA Answers
- Ask the CIO
- The Big Data Dilemma
- Carrying On with Continuity of Operations
- Connected Government
- Constituent Servicing
- Continuous Monitoring: Tools and Techniques for Trustworthy Government IT
- The Cyber Imperative
- Cyber Solutions for 2013 and Beyond
- Expert Voices
- Federal Executive Forum
- Federal IT Challenge
- Federal Tech Talk
- Mission-critical Apps in the Cloud
- The Path from Legacy Systems
- The Real Deal on Digital Government
- The Reality of Continuous Monitoring... Is Your Agency Secure?
- Veterans in Private Sector: Making the Transition
Shows & Panels
NIST offers help to secure wireless networks
Friday - 2/13/2009, 7:33pm EST
From cell phones to Blackberrys to wireless cards in laptops, nearly every federal worker and contractor connects to the Internet wirelessly these days. But there is no federal standard for securing these connections.
That is why the National Institute of Standards and Technology recently issued a draft guidance for how to use the Extensible Authentication Protocol (EAP), which is a way to protect the user and wireless network.
NIST Special Publication 800-120 is in draft and is focused mainly on federal wireless networks. Comments were due Jan. 30 and NIST expects the final guidance out this spring.
"By using wireless networks, you open up your network to attackers," says Katrin Hoeper, a former NIST guest research fellow and now a senior security engineer in Motorola's Applied Research and Technology Center. "You need to protect the network and the information on it and you also need to protect the users. You don't want federal users to think they are accessing their federal network, but in fact accessing someone else's network."
Hoeper says hackers can more easily get into unprotected or inadequately protected wireless links. NIST is calling for mutual authentication using EAP.
"The network and the user should establish a key to encrypt the wireless link," she says. "This document shows how federal agencies can use EAP to provide network access authentication to achieve all security objectives."
She adds that the draft guideline is mainly for network administrators to secure wireless networks, and that there are more than 40 different EAP methods and NIST wanted to narrow down the choices of what to use.
"If an administrator is setting up a network how do the know what to support?" she asks. "The draft gives some guidelines on what to pick and provides a general set of EAP methods and gives examples."
In the guidance, NIST says EAP methods have advanced in how they protect wireless networks.
Hoeper says many agencies rely on PIN and password authentication to wireless networks. But the guidance details when agencies should consider EAP instead of password log-on.
"What is done in EAP is first the network establishes a secure tunnel and then exchanges the password in that tunnel for authentication," she says. "Password-based authentication is used by a lot of older authentication systems and passwords are not very secure."
Hoeper was a guest research fellow at NIST for two years after she finished her PhD at Waterloo University in Ontario, Canada.
On the Web:
FederalNewsRadio - FEMA continues march toward IT centralization
FederalNewsRadio - Ask the CIO with ATF's Larry Bell
(Copyright 2009 by FederalNewsRadio.com. All Rights Reserved.)