Is Wi-Fi Secure Enough for Federal?

By Dolan Sullivan, Vice President of Federal at Aruba, a Hewlett Packard Enterprise company
Share Post

Wi-Fi may be available everywhere from Starbucks to the back of the airplane, but the people who keep our nation safe know they have to be extra careful when using their mobile devices. Wi-Fi has been broadly adopted for mission- and application-specific requirements, and mobility is becoming pervasive as more DoD and civilian agencies deploy wireless. Nevertheless, Wi-Fi security concerns linger.

Let’s put those concerns to rest: Wi-Fi is secure enough for government. Let’s take a closer look at why.

Strong Authentication is Built into Wi-Fi
The strength of Wi-Fi security rests on the strong authentication of users and their devices and the encryption of their network traffic. Users and their devices are who they say they are, and the authentication process is encrypted.

But Wi-Fi offers different security levels, and what’s appropriate for a coffee shop is very different than a military base.

Government networks should use WPA-Enterprise for authentication. WPA-Enterprise mandates that all devices authenticate themselves using 802.1X port-based authentication for networks. Digital certificates provide the strongest security, and when combined with smart cards or crypto tokens, provide two-factor authentication for greater security.

The communications between the user’s device, the mobility controller and the authentication server, such as Active Directory or RADIUS, must be encrypted. Government networks should use EAP-TLS to meet the different cryptography strengths required for unclassified but sensitive, secret and top secret. Encryption keys are derived independently by both the station and the authentication server.

Strong Encryption is Built in Too
Once the WPA2-Enterprise authentication is complete, the mobile device derives a set of encryption keys to ensure the confidentiality and integrity of the data transmitted over the network. These keys are then used to derive subsequent keys, which are ultimately used to protect network traffic. WPA2 generates new keys every time an authentication takes place, and during  a long-lived session, it will periodically re-key.

WPA2 relies on the CCMP encryption protocol, which uses AES as the underlying cypher. It is a block cipher that provides confidentiality, integrity protection and authenticity assurance. WPA2 provides 128 bits of encryption security strength, which is adequate for sensitive or unclassified networks, and is good enough for the protection of the secret classification, under the Committee on National Security Systems (CNSS) policy.

However, in an actual classified application, the NSA requires 192 bits of security strength for a Commercial Solutions for Classified deployment (CSfC). This means that WPA2 encryption cannot be used for CSfC deployments. However, Suite B encryption can be used to achieve the required 192 bits of strength.

Aruba Delivers a Security Advantage for Federal
The fundamentals of wireless LAN technology provide for strong authentication and encryption, but Aruba delivers an additional advantage.

Aruba’s WLAN security architecture is different than all other vendors. In the default configuration, known as tunnel mode, Aruba access points do not perform any encryption/decryption and therefore do not contain any encryption keys. The keys are not at risk of interception because they are never transmitted over the air, providing additional security.

Aruba APs receive wireless frames that are already encrypted from the radio, and immediately package these encrypted wireless frames into an IP tunnel to the mobility controller. Once at the mobility controller, the IP tunnel packet header is removed, and the encrypted 802.11 Wi-Fi frame remains. The controller processes this frame, decrypting it and turning it back into a standard routable IP packet.

Since Aruba APs don’t have encryption keys, they cannot process the Wi-Fi traffic locally. If an attacker gains physical control of an Aruba AP, he or she will be unable to break into the sessions that pass through the AP. Mobility controllers do need to be physically protected, and they are typically kept in the data center. But unlike other vendors, Aruba APs do not need physical protection.

Access Control for Multiuse Networks
Federal has long built different networks based on classification levels or communities of interest. Additionally, Wi-Fi guest access is becoming more common to allow a worker or service member to work easily outside of their usual work location. For instance, an employee may be visiting another department or a service member may be coming in from a different base.

In the past, it’s been necessary to air-gap networks, so there is complete physical separation between networks. That means deploying multiple APs in the same area, which leads to duplicate equipment and much higher costs.

Instead, Aruba takes a different approach. Multiple classification levels or communities of interest can securely share the same underlying network infrastructure.

Aruba Mobility Controllers integrate a full stateful firewall, which enforces security policies and separation between different types of Wi-Fi users. In an Aruba network, users can’t manipulate their network traffic to bypass firewall rules or obtain the rights from a different role. Encryption is centralized, so there is a solid, unbreakable link between network traffic coming from a user and the role and firewall policies applied to that traffic at the mobility controller.

Aruba makes it possible to create separate security zones as well. Network access may be granted equally within a security zone, or users may be segmented within the same zone to better protect against malware. Aruba’s Dynamic Segmentation solution performs this micro-segmentation – providing the network with critical Layer 4-7 knowledge as well as the identity, role and security profile of the user. (Learn more about Dynamic Segmentation in this blog.)

All users on Aruba Wi-Fi are already authenticated and their identities known. From there, Aruba ClearPass Policy Manager can determine which role a Wi-Fi user should be placed into by working with an organization’s identity management system. The user’s role is passed back to an Aruba mobility controller where the appropriate firewall policies are applied. ClearPass is Common Criteria certified.

Support Multiple Security Classifications
Aruba networks can support multiple security classifications over the same infrastructure, simplifying network design, operations and lowering CapEx. Traditionally, transmission of classified networks over Wi-Fi has been done by creating a dual-tunnel CSfC architecture, and that typically requires a fundamental change in the network architecture, which adds time and complexity.

Aruba’s MultiZone feature can be used to provide the necessary separation between security zones and support the requirements for Campus WLAN Capability Package (WLANP) 1.0 and 2.0.

Aruba’s centralized encryption architecture allows the MultiZone capability to provide equivalent security to physically separated networks. Because Aruba APs do not perform encryption or other security functions, the AP can be shared among different classification levels. Controllers have visibility only into the traffic corresponding to their SSID, so one controller cannot see another controller’s user information.

The Time is Right for Wi-Fi
Aruba networks have strong security built right into the infrastructure, enabling the armed services and civilian agencies to embrace mobility and the digital workplace, gaining the flexibility, collaboration and productivity benefits that workers in enterprise organizations do.

To learn more about Wi-Fi security and how Aruba’s approach is different, read the whitepaper Wi-Fi: Secure Enough for Federal Government?

See all of Aruba’s government validations and accreditations.