Wireless Gives GAO Mobility

GAO's headquarters in Washington, D.C., will become a model government agency in the deployment of state-of-the-art technology, with the help of SRA International, a Fairfax, Va.-based government VAR. SRA has been a prime contractor for the GAO since 1997 for multiple IT-related projects, such as network management, security, user-support and help-desk functions. The GAO, with close to 4,000 employees, is responsible for gathering information to help Congress determine how well executive branch agencies are doing their jobs.

"After Sept. 11, the GAO decided on a plan to make secure WLANs available for everyday usage, as well as for disaster recovery," says Sonny Nguyen, IT security manager at the GAO, on loan from SRA.

The fact is, Congress found itself without an IT backup plan in early fall 2001. That left roughly 1,700 employees,senators, representatives and staff,out of the IT infrastructure when several government buildings were temporarily closed.

Deciding to move Congress into several floors of the GAO building was the easy part. Providing connectivity to government-computing resources required a little more thought. While there were some available Ethernet LAN drops in the building, there weren't enough to address the large number of temporary incoming residents. Furthermore, the GAO never had an extensive WLAN,only a handful of nodes in conference rooms that were used sporadically for training purposes.

id
unit-1659132512259
type
Sponsored post

"The options for network connectivity were to pull cable or go wireless," Nguyen says. The former solution would take months; the latter would take only days. "The decision was really self-evident," he adds. "Congress didn't have months."

In a matter of hours, Nguyen and his team set up a WLAN demo for the GAO's CIO, who quickly bought into the idea. In less than 48 hours, with approximately 100 technicians,SRA employees, subcontractors and GAO employees,working around the clock, a WLAN comprising 75 wireless access points (WAPs) and hundreds of wireless PC cards from SMC Networks, Irvine, Calif., was configured. A variety of Compaq notebook computers, configured with full access to IT applications, was used for WLAN connectivity.

The IT team worked 24/7 for the first week to make sure that Congress was fully supported using the WLAN technology.

"The WLAN solution worked without a hitch," according to Nguyen. However, the VAR had great concerns about WLAN security.

"At the time, operating the WLAN without robust security was a risk we had to take," he notes. For many IT organizations, existing WLAN standards aren't up to snuff. In particular, the Wired Equivalent Privacy (WEP) security algorithm is considered weak and often an obstacle to WLAN deployment. For temporary usage of the WLAN at the GAO office, the VAR configured the WEP encryption and tested for signal strength. He also beefed up WLAN security by assigning a dedicated virtual LAN (VLAN) on Cisco Systems' routers and switches to the wireless network, to isolate users from the general population of WAN users. The VLAN not only improved security, but also allowed for better monitoring, troubleshooting and problem-solving.

Finally, a mix of intrusion-detection products was also installed. The products, from Symantec, Cupertino, Calif., can identify threats in real-time as they occur on the network. The IT Security Group within the GAO monitored the VLAN.

Then, one month later, when Congress returned to its quarters, the WLAN was shut down. "Our plan was to turn on the WEP encryption long enough to support the temporary users until we came up with a better security solution," Nguyen says.

Shoring Up Security

For about a year now, Nguyen has been reassessing WLAN technology for deployment at the GAO and testing a more robust and secure WLAN technology. The two key requirements for WLAN security are authentication and strong end-to-end encryption, or keeping the bad guys out and making sure only the good guys have access to the appropriate applications.

In the past year, a number of third-party vendors have introduced WLAN products designed to improve network management and security. Among them is Burlington, Mass.-based Bluesocket, the vendor Nguyen is turning to for the GAO WLAN application.

The company offers the WG-1000 SOE (Small Office Edition), which supports small offices and workgroups of 15 users. It can support entire office floors of some 100 users (at 30 Mbps encrypted/100 Mbps unencrypted). For larger enterprises with higher-throughput user/density needs, Bluesocket's WG-2000 offers hardware-based encryption acceleration, delivering encrypted-data performance up to 150 Mbps, and up to 300 Mbps for unencrypted traffic.

Nguyen purchased seven WG-2000 wireless gateways from Bluesocket. Simply put, the WLAN-management product takes over security and management functions for the entire WLAN vs. individual access points,that's this vendor's answer to today's hot question of where intelligence in the WLAN should reside.

More specifically, the wireless gateway provides end-to-end encryption using IPSec, the developing IP security protocol of the Internet Security Task Force, as well as a means for authentication against an ACE/server, a user-authentication solution from RSA Security, Bedford, Mass. RSA SecureID is a token-based security technology that authenticates users at the network, system and application levels, and is used in conjunction with RSA ACE/Server software.

The WG-2000 from Bluesocket is an enterprise solution that accommodates 300 users and approximately 30 to 40 WAPs, operating on either 801.11a or 802.11b WLANs. Today, the GAO WLAN that Nguyen is testing uses 802.11b, or 11-Mbps technology, and not the next-generation, higher-speed 802.11a products. He expects to move to 802.11a products at a later date.

To date, Nguyen has extensively tested the more secure WLAN by assigning a VLAN static address and using the WG-2000 to assign roles for authenticating users; control bandwidth using the product's class of service, a management feature that allows each user to be allocated an amount of the WLAN bandwidth; and enable roaming without requiring users to reauthenticate themselves as they cross subnets. He also has tested the protocol-filtering capabilities of the wireless gateway.

"The WG-2000 is a well-designed product that gives a high level of granularity, as far as control is concerned," he says, noting that it is also easy to use and the 150-Mbps-throughput doesn't create a network bottleneck.

According to Dave Juitt, CTO and chief security officer at Bluesocket, the WG-2000 retails for about $12,995.

"We introduced the product as an intelligent device, which allows users to go with less expensive access points," he says. Another advantage of the Bluesocket solution, according to Nguyen, is that it uses the IPSec client that comes with Microsoft Windows 2000 and XP Pro, so there are no additional client costs or proprietary client software to install. "This approach reduces maintenance," he says.

Bluesocket's Juitt believes that the security pieces are now in place to enable secure WLAN deployments in government agencies, where at one time 802.11 deployments were banned.

"After Sept. 11, the government saw how WLANs provided the ability to rehost certain agencies and get people back on their feet," he says.

After months of road-testing both logistics and support of the secure WLAN, Nguyen is confident that it is ready for deployment.