Physical security key to meeting federal, DoD requirements for wireless LAN installations

Where network security is a matter of national security, the requirements for securing wireless equipment take on additional importance.

The U.S. Federal Government and Department of Defense (DoD) have developed numerous documents specifying guidelines and procedures for deploying secure, mission-critical wireless LANs. An article now available at Oberon's website provides a brief guide to the various federal directives, instructions and Security Technical Implementation Guides (STIGs) regarding the installation wireless LAN infrastructure in government facilities, with an emphasis on physical security requirements for wireless access points.

As noted by Oberon, DoD Instruction 8420.01 establishes policy, assigns responsibilities, and provides procedures for the use of commercial WLAN devices, systems, and technologies. This instruction requires validated physical security. The directive states that APs used in unclassified WLANs should not be installed in unprotected environments due to an increased risk of tampering and/or theft. However, if installed in unprotected environments, the directive specifies that APs that store plaintext cryptographic keying information shall be protected with added physical security to mitigate risks.

In FIPS-140-2 Security Requirements for Cryptographic Modules, DoD Instruction 8420.01 specifies Security Level 2 for wireless LANs. Security Level 2 enhances the physical security mechanisms of a Security Level 1 cryptographic module by adding the requirement for tamper-evidence, which includes the use of tamper-evident coatings or seals or for pick-resistant locks on removable covers or doors of the module. Tamper-evident coatings or seals are placed on a cryptographic module so that the coating or seal must be broken to attain physical access to the plaintext cryptographic keys and critical security parameters (CSPs) within the module. Tamper-evident seals or pick-resistant locks are placed on covers or doors to protect against unauthorized physical access.

DoD Components may choose products that meet FIPS 140-2 Overall Level 2 or higher validation to ensure that the AP provides validated tamper evidence, at a minimum. Alternatively, DoD Components may physically secure APs by placing them inside of securely mounted, pick-resistant, lockable enclosures. The directive states that WLAN APs used to transmit or process classified information shall be physically secured, and methods shall exist to facilitate the detection of tampering. FIPS-140-2 paragraph 4.5 states "A cryptographic module shall employ physical security mechanisms in order to restrict unauthorized physical access to the contents of the module and to deter unauthorized use or modification of the module (including substitution of the entire module) when installed. All hardware, software, firmware, and data components within the cryptographic boundary shall be protected."

Oberon notes that its wireless access point enclosures can simplify the planning of federal network deployments. Secure, locking doors protect wireless APs behind ABS plastic providing strength while remaining virtually invisible to wireless signals. Enclosures are secured to building structure for greater security. Access points securely mounted within the enclosure can be easily reached by authorized personnel via the locking door, making moves, adds, and changes fast, easy, and convenient in high-traffic, high-security environments.

View Oberon's article about DoD resources relating to wireless network security in federal facilities.

More in Wireless/5G
Are You Ready for Wi-Fi 6?
Sponsored
Are You Ready for Wi-Fi 6?